Mageia Bugzilla – Attachment 2653 Details for
Bug 7095
openswan missing update for several security issues
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
openswan-cve-2010-3302-3308.patch
openswan-cve-2010-3302-3308.patch (text/plain), 9.50 KB, created by
David Walser
on 2012-08-17 19:52:20 CEST
(
hide
)
Description:
openswan-cve-2010-3302-3308.patch
Filename:
MIME Type:
Creator:
David Walser
Created:
2012-08-17 19:52:20 CEST
Size:
9.50 KB
patch
obsolete
>diff -urNp openswan-2.6.24-cvs-patched/programs/pluto/connections.c openswan-2.6.24-cvs-patched-modified/programs/pluto/connections.c >--- openswan-2.6.24-cvs-patched/programs/pluto/connections.c 2010-06-30 01:25:34.889402721 -0400 >+++ openswan-2.6.24-cvs-patched-modified/programs/pluto/connections.c 2010-09-17 12:34:39.242124376 -0400 >@@ -318,6 +318,11 @@ delete_connection(struct connection *c, > set_debugging(old_cur_debugging); > #endif > pfreeany(c->name); >+#ifdef XAUTH >+ pfreeany(c->cisco_dns_info); >+ pfreeany(c->cisco_domain_info); >+ pfreeany(c->cisco_banner); >+#endif > #ifdef DYNAMICDNS > pfreeany(c->dnshostname); > #endif /* DYNAMICDNS */ >@@ -756,6 +761,12 @@ unshare_connection_strings(struct connec > > c->name = clone_str(c->name, "connection name"); > >+#ifdef XAUTH >+ c->cisco_dns_info = clone_str(c->cisco_dns_info, "connection cisco_dns_info"); >+ c->cisco_domain_info = clone_str(c->cisco_domain_info, "connection cisco_domain_info"); >+ c->cisco_banner = clone_str(c->cisco_banner, "connection cisco_banner"); >+#endif >+ > #ifdef DYNAMICDNS > c->dnshostname = clone_str(c->dnshostname, "connection dnshostname"); > #endif /* DYNAMICDNS */ >@@ -1186,7 +1197,13 @@ add_connection(const struct whack_messag > c->name = wm->name; > c->connalias = wm->connalias; > >+#ifdef XAUTH >+ c->cisco_dns_info = NULL; >+ c->cisco_domain_info = NULL; >+ c->cisco_banner = NULL; >+#endif > #ifdef DYNAMICDNS >+ c->dnshostname = NULL; > if (wm->dnshostname) > c->dnshostname = wm->dnshostname; > #endif /* DYNAMICDNS */ >@@ -1291,11 +1308,6 @@ add_connection(const struct whack_messag > > /* Cisco interop: remote peer type */ > c->remotepeertype=wm->remotepeertype; >- /* Initializing Cisco dns and domain info */ >- if (c->remotepeertype == CISCO) { >- c->cisco_dns_info[0] ='\0'; >- c->cisco_domain_info[0] ='\0'; >- } > > /* Network Manager support */ > c->nmconfigured=wm->nmconfigured; >diff -urNp openswan-2.6.24-cvs-patched/programs/pluto/connections.h openswan-2.6.24-cvs-patched-modified/programs/pluto/connections.h >--- openswan-2.6.24-cvs-patched/programs/pluto/connections.h 2010-06-30 01:25:34.890401460 -0400 >+++ openswan-2.6.24-cvs-patched-modified/programs/pluto/connections.h 2010-09-17 12:34:58.396374553 -0400 >@@ -257,15 +257,17 @@ struct connection { > #ifdef DYNAMICDNS > char *dnshostname; > #endif /* DYNAMICDNS */ >+#ifdef XAUTH > #ifdef MODECFG > ip_address modecfg_dns1; > ip_address modecfg_dns2; > ip_address modecfg_wins1; > ip_address modecfg_wins2; > #endif >- char cisco_dns_info[50]; >- char cisco_domain_info[50]; >- char server_banner[500]; >+ char *cisco_dns_info; >+ char *cisco_domain_info; >+ char *cisco_banner; >+#endif /* XAUTH */ > u_int8_t metric; /* metric for tunnel routes */ > #ifdef HAVE_STATSD > u_int32_t statsval; /* track what we have told statsd */ >diff -urNp openswan-2.6.24-cvs-patched/programs/pluto/kernel.c openswan-2.6.24-cvs-patched-modified/programs/pluto/kernel.c >--- openswan-2.6.24-cvs-patched/programs/pluto/kernel.c 2010-06-18 15:37:42.557140786 -0400 >+++ openswan-2.6.24-cvs-patched-modified/programs/pluto/kernel.c 2010-09-17 12:43:36.661374023 -0400 >@@ -410,12 +410,16 @@ fmt_common_shell_out(char *buf, int blen > "PLUTO_STACK='%s' " > "%s " /* possible metric */ > "PLUTO_CONN_POLICY='%s' " >- "%s " /* XAUTH username */ >- "%s " /* PLUTO_MY_SRCIP */ >+#ifdef XAUTH >+ "%s " /* XAUTH username - if any */ >+#endif >+ "%s " /* PLUTO_MY_SRCIP - if any */ >+#ifdef XAUTH > "PLUTO_CISCO_DNS_INFO='%s' " > "PLUTO_CISCO_DOMAIN_INFO='%s' " >- "PLUTO_NM_CONFIGURED='%u' " > "PLUTO_SERVERBANNER='%s' " >+#endif >+ "PLUTO_NM_CONFIGURED='%u' " > , c->name > , c->interface->ip_dev->id_vname > , nexthop_str >@@ -437,12 +441,16 @@ fmt_common_shell_out(char *buf, int blen > , kernel_ops->kern_name > , metric_str > , prettypolicy(c->policy) >+#ifdef XAUTH > , secure_xauth_username_str >+#endif > , srcip_str >+#ifdef XAUTH > , c->cisco_dns_info > , c->cisco_domain_info >- , c->nmconfigured >- , c->server_banner); >+ , c->cisco_banner >+#endif >+ , c->nmconfigured); > /* > * works for both old and new way of snprintf() returning > * eiter -1 or the output length -- by Carsten Schlote >diff -urNp openswan-2.6.24-cvs-patched/programs/pluto/xauth.c openswan-2.6.24-cvs-patched-modified/programs/pluto/xauth.c >--- openswan-2.6.24-cvs-patched/programs/pluto/xauth.c 2010-06-18 15:37:42.560143764 -0400 >+++ openswan-2.6.24-cvs-patched-modified/programs/pluto/xauth.c 2010-09-17 12:37:51.915373770 -0400 >@@ -39,6 +39,8 @@ > #include <openswan.h> > #include <openswan/ipsec_policy.h> > >+#include "oswalloc.h" >+ > #include "sysdep.h" > #include "oswconf.h" > #include "constants.h" >@@ -1624,6 +1626,39 @@ modecfg_inI2(struct msg_digest *md) > return STF_OK; > } > >+/* Auxillary function for modecfg_inR1() */ >+static char * >+cisco_stringify(pb_stream *pbs, const char *attr_name) >+{ >+ char strbuf[500]; /* Cisco maximum unknown - arbitrary choice */ >+ size_t len = pbs_left(pbs); >+ >+ if (len > sizeof(strbuf)-1) >+ len = sizeof(strbuf)-1; >+ >+ memcpy(strbuf, pbs->cur, len); >+ strbuf[len] = '\0'; >+ /* ' is poison to the way this string will be used >+ * in system() and hence shell. Remove any. >+ */ >+ { >+ char *s = strbuf; >+ >+ for (;;) >+ { >+ s = strchr(s, '\''); >+ if (s == NULL) >+ break; >+ *s = '?'; >+ } >+ } >+ (void)sanitize_string(strbuf, sizeof(strbuf)); >+ DBG(DBG_CONTROL, DBG_log("Received Cisco %s: %s", attr_name, strbuf)); >+ return clone_str(strbuf, attr_name); >+} >+ >+ >+ > /** STATE_MODE_CFG_R1: > * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK) > * >@@ -1637,7 +1672,6 @@ modecfg_inR1(struct msg_digest *md) > pb_stream *attrs = &md->chain[ISAKMP_NEXT_ATTR]->pbs; > int resp = LEMPTY; > struct payload_digest *p; >- bool first_dns_flag = TRUE; > > DBG(DBG_CONTROL, DBG_log("modecfg_inR1")); > openswan_log("received mode cfg reply"); >@@ -1789,14 +1823,31 @@ modecfg_inR1(struct msg_digest *md) > addrtot(&a, 0, caddr, sizeof(caddr)); > openswan_log("Received DNS %s, len=%d", caddr, strlen(caddr)); > >- if (first_dns_flag) { >- strcpy(st->st_connection->cisco_dns_info, caddr); >- first_dns_flag = 0; >- } >- else { >- strcat(st->st_connection->cisco_dns_info, " "); >- strcat(st->st_connection->cisco_dns_info, caddr); >- } >+ >+ { >+ struct connection *c = st->st_connection; >+ char *old = c->cisco_dns_info; >+ >+ if (old == NULL) >+ { >+ c->cisco_dns_info = clone_str(caddr, "cisco_dns_info"); >+ } >+ else >+ { >+ /* concatenate new IP address string on end of >+ * existing string, separated by ' '. >+ */ >+ size_t sz_old = strlen(old); >+ size_t sz_added = strlen(caddr) + 1; >+ char *new = alloc_bytes(sz_old + 1 + sz_added, "cisco_dns_info+"); >+ >+ memcpy(new, old, sz_old); >+ *(new + sz_old) =' '; >+ memcpy(new + sz_old + 1, caddr, sz_added); >+ c->cisco_dns_info = new; >+ pfree(old); >+ } >+ } > > DBG_log("Cisco DNS info: %s, len=%d", st->st_connection->cisco_dns_info, strlen(st->st_connection->cisco_dns_info)); > } >@@ -1810,27 +1861,14 @@ modecfg_inR1(struct msg_digest *md) > break; > > case CISCO_BANNER: >- { >- DBG_dump("Received cisco banner: ", strattr.cur, pbs_left(&strattr)); >- strncpy(st->st_connection->server_banner, strattr.cur, pbs_left(&strattr)); >- st->st_connection->server_banner[pbs_left(&strattr)]='\0'; >- DBG_log("Cisco banner: %s", st->st_connection->server_banner); >- resp |= LELEM(attr.isaat_af_type); >- } >- break; >+ st->st_connection->cisco_banner = cisco_stringify(&strattr,"Cisco Banner"); >+ resp |= LELEM(attr.isaat_af_type); >+ break; > > case CISCO_DEF_DOMAIN: >- { >- char tmp[50]; >- DBG_dump("Received cisco def domain: ", strattr.cur, pbs_left(&strattr)); >- strncpy(tmp, strattr.cur, pbs_left(&strattr)); >- tmp[pbs_left(&strattr)]='\0'; >- DBG_log("Cisco defined domain: %s", tmp); >- strcpy(st->st_connection->cisco_domain_info, tmp); >- DBG_log("Cisco defined domain: %s", st->st_connection->cisco_domain_info); >- resp |= LELEM(attr.isaat_af_type); >- } >- break; >+ st->st_connection->cisco_domain_info = cisco_stringify(&strattr,"Cisco Domain"); >+ resp |= LELEM(attr.isaat_af_type); >+ break; > > case CISCO_SPLIT_INC: > {
diff -urNp openswan-2.6.24-cvs-patched/programs/pluto/connections.c openswan-2.6.24-cvs-patched-modified/programs/pluto/connections.c --- openswan-2.6.24-cvs-patched/programs/pluto/connections.c 2010-06-30 01:25:34.889402721 -0400 +++ openswan-2.6.24-cvs-patched-modified/programs/pluto/connections.c 2010-09-17 12:34:39.242124376 -0400 @@ -318,6 +318,11 @@ delete_connection(struct connection *c, set_debugging(old_cur_debugging); #endif pfreeany(c->name); +#ifdef XAUTH + pfreeany(c->cisco_dns_info); + pfreeany(c->cisco_domain_info); + pfreeany(c->cisco_banner); +#endif #ifdef DYNAMICDNS pfreeany(c->dnshostname); #endif /* DYNAMICDNS */ @@ -756,6 +761,12 @@ unshare_connection_strings(struct connec c->name = clone_str(c->name, "connection name"); +#ifdef XAUTH + c->cisco_dns_info = clone_str(c->cisco_dns_info, "connection cisco_dns_info"); + c->cisco_domain_info = clone_str(c->cisco_domain_info, "connection cisco_domain_info"); + c->cisco_banner = clone_str(c->cisco_banner, "connection cisco_banner"); +#endif + #ifdef DYNAMICDNS c->dnshostname = clone_str(c->dnshostname, "connection dnshostname"); #endif /* DYNAMICDNS */ @@ -1186,7 +1197,13 @@ add_connection(const struct whack_messag c->name = wm->name; c->connalias = wm->connalias; +#ifdef XAUTH + c->cisco_dns_info = NULL; + c->cisco_domain_info = NULL; + c->cisco_banner = NULL; +#endif #ifdef DYNAMICDNS + c->dnshostname = NULL; if (wm->dnshostname) c->dnshostname = wm->dnshostname; #endif /* DYNAMICDNS */ @@ -1291,11 +1308,6 @@ add_connection(const struct whack_messag /* Cisco interop: remote peer type */ c->remotepeertype=wm->remotepeertype; - /* Initializing Cisco dns and domain info */ - if (c->remotepeertype == CISCO) { - c->cisco_dns_info[0] ='\0'; - c->cisco_domain_info[0] ='\0'; - } /* Network Manager support */ c->nmconfigured=wm->nmconfigured; diff -urNp openswan-2.6.24-cvs-patched/programs/pluto/connections.h openswan-2.6.24-cvs-patched-modified/programs/pluto/connections.h --- openswan-2.6.24-cvs-patched/programs/pluto/connections.h 2010-06-30 01:25:34.890401460 -0400 +++ openswan-2.6.24-cvs-patched-modified/programs/pluto/connections.h 2010-09-17 12:34:58.396374553 -0400 @@ -257,15 +257,17 @@ struct connection { #ifdef DYNAMICDNS char *dnshostname; #endif /* DYNAMICDNS */ +#ifdef XAUTH #ifdef MODECFG ip_address modecfg_dns1; ip_address modecfg_dns2; ip_address modecfg_wins1; ip_address modecfg_wins2; #endif - char cisco_dns_info[50]; - char cisco_domain_info[50]; - char server_banner[500]; + char *cisco_dns_info; + char *cisco_domain_info; + char *cisco_banner; +#endif /* XAUTH */ u_int8_t metric; /* metric for tunnel routes */ #ifdef HAVE_STATSD u_int32_t statsval; /* track what we have told statsd */ diff -urNp openswan-2.6.24-cvs-patched/programs/pluto/kernel.c openswan-2.6.24-cvs-patched-modified/programs/pluto/kernel.c --- openswan-2.6.24-cvs-patched/programs/pluto/kernel.c 2010-06-18 15:37:42.557140786 -0400 +++ openswan-2.6.24-cvs-patched-modified/programs/pluto/kernel.c 2010-09-17 12:43:36.661374023 -0400 @@ -410,12 +410,16 @@ fmt_common_shell_out(char *buf, int blen "PLUTO_STACK='%s' " "%s " /* possible metric */ "PLUTO_CONN_POLICY='%s' " - "%s " /* XAUTH username */ - "%s " /* PLUTO_MY_SRCIP */ +#ifdef XAUTH + "%s " /* XAUTH username - if any */ +#endif + "%s " /* PLUTO_MY_SRCIP - if any */ +#ifdef XAUTH "PLUTO_CISCO_DNS_INFO='%s' " "PLUTO_CISCO_DOMAIN_INFO='%s' " - "PLUTO_NM_CONFIGURED='%u' " "PLUTO_SERVERBANNER='%s' " +#endif + "PLUTO_NM_CONFIGURED='%u' " , c->name , c->interface->ip_dev->id_vname , nexthop_str @@ -437,12 +441,16 @@ fmt_common_shell_out(char *buf, int blen , kernel_ops->kern_name , metric_str , prettypolicy(c->policy) +#ifdef XAUTH , secure_xauth_username_str +#endif , srcip_str +#ifdef XAUTH , c->cisco_dns_info , c->cisco_domain_info - , c->nmconfigured - , c->server_banner); + , c->cisco_banner +#endif + , c->nmconfigured); /* * works for both old and new way of snprintf() returning * eiter -1 or the output length -- by Carsten Schlote diff -urNp openswan-2.6.24-cvs-patched/programs/pluto/xauth.c openswan-2.6.24-cvs-patched-modified/programs/pluto/xauth.c --- openswan-2.6.24-cvs-patched/programs/pluto/xauth.c 2010-06-18 15:37:42.560143764 -0400 +++ openswan-2.6.24-cvs-patched-modified/programs/pluto/xauth.c 2010-09-17 12:37:51.915373770 -0400 @@ -39,6 +39,8 @@ #include <openswan.h> #include <openswan/ipsec_policy.h> +#include "oswalloc.h" + #include "sysdep.h" #include "oswconf.h" #include "constants.h" @@ -1624,6 +1626,39 @@ modecfg_inI2(struct msg_digest *md) return STF_OK; } +/* Auxillary function for modecfg_inR1() */ +static char * +cisco_stringify(pb_stream *pbs, const char *attr_name) +{ + char strbuf[500]; /* Cisco maximum unknown - arbitrary choice */ + size_t len = pbs_left(pbs); + + if (len > sizeof(strbuf)-1) + len = sizeof(strbuf)-1; + + memcpy(strbuf, pbs->cur, len); + strbuf[len] = '\0'; + /* ' is poison to the way this string will be used + * in system() and hence shell. Remove any. + */ + { + char *s = strbuf; + + for (;;) + { + s = strchr(s, '\''); + if (s == NULL) + break; + *s = '?'; + } + } + (void)sanitize_string(strbuf, sizeof(strbuf)); + DBG(DBG_CONTROL, DBG_log("Received Cisco %s: %s", attr_name, strbuf)); + return clone_str(strbuf, attr_name); +} + + + /** STATE_MODE_CFG_R1: * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK) * @@ -1637,7 +1672,6 @@ modecfg_inR1(struct msg_digest *md) pb_stream *attrs = &md->chain[ISAKMP_NEXT_ATTR]->pbs; int resp = LEMPTY; struct payload_digest *p; - bool first_dns_flag = TRUE; DBG(DBG_CONTROL, DBG_log("modecfg_inR1")); openswan_log("received mode cfg reply"); @@ -1789,14 +1823,31 @@ modecfg_inR1(struct msg_digest *md) addrtot(&a, 0, caddr, sizeof(caddr)); openswan_log("Received DNS %s, len=%d", caddr, strlen(caddr)); - if (first_dns_flag) { - strcpy(st->st_connection->cisco_dns_info, caddr); - first_dns_flag = 0; - } - else { - strcat(st->st_connection->cisco_dns_info, " "); - strcat(st->st_connection->cisco_dns_info, caddr); - } + + { + struct connection *c = st->st_connection; + char *old = c->cisco_dns_info; + + if (old == NULL) + { + c->cisco_dns_info = clone_str(caddr, "cisco_dns_info"); + } + else + { + /* concatenate new IP address string on end of + * existing string, separated by ' '. + */ + size_t sz_old = strlen(old); + size_t sz_added = strlen(caddr) + 1; + char *new = alloc_bytes(sz_old + 1 + sz_added, "cisco_dns_info+"); + + memcpy(new, old, sz_old); + *(new + sz_old) =' '; + memcpy(new + sz_old + 1, caddr, sz_added); + c->cisco_dns_info = new; + pfree(old); + } + } DBG_log("Cisco DNS info: %s, len=%d", st->st_connection->cisco_dns_info, strlen(st->st_connection->cisco_dns_info)); } @@ -1810,27 +1861,14 @@ modecfg_inR1(struct msg_digest *md) break; case CISCO_BANNER: - { - DBG_dump("Received cisco banner: ", strattr.cur, pbs_left(&strattr)); - strncpy(st->st_connection->server_banner, strattr.cur, pbs_left(&strattr)); - st->st_connection->server_banner[pbs_left(&strattr)]='\0'; - DBG_log("Cisco banner: %s", st->st_connection->server_banner); - resp |= LELEM(attr.isaat_af_type); - } - break; + st->st_connection->cisco_banner = cisco_stringify(&strattr,"Cisco Banner"); + resp |= LELEM(attr.isaat_af_type); + break; case CISCO_DEF_DOMAIN: - { - char tmp[50]; - DBG_dump("Received cisco def domain: ", strattr.cur, pbs_left(&strattr)); - strncpy(tmp, strattr.cur, pbs_left(&strattr)); - tmp[pbs_left(&strattr)]='\0'; - DBG_log("Cisco defined domain: %s", tmp); - strcpy(st->st_connection->cisco_domain_info, tmp); - DBG_log("Cisco defined domain: %s", st->st_connection->cisco_domain_info); - resp |= LELEM(attr.isaat_af_type); - } - break; + st->st_connection->cisco_domain_info = cisco_stringify(&strattr,"Cisco Domain"); + resp |= LELEM(attr.isaat_af_type); + break; case CISCO_SPLIT_INC: {
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 7095
: 2653 |
2654