Bug 29900

Summary: libreswan new security issue CVE-2022-23094
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libreswan-4.5-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-01-17 17:48:06 CET 
Debian has issued an advisory on January 15:
https://www.debian.org/security/2022/dsa-5048

The issue is fixed upstream in 4.6:
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt

Mageia 8 is also affected.
David Walser 2022-01-17 17:48:19 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 4.6

Comment 1 Lewis Smith 2022-01-17 19:31:34 CET 
This is good for assigning to the active maintainer, Stig

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2022-01-17 22:59:59 CET 
Advisory
========

Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists.

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2022-23094
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt
https://www.debian.org/security/2022/dsa-5048

Files
=====

Uploaded to core/updates_testing

libreswan-4.6-1.mga8

from libreswan-4.6-1.mga8.src.rpm

Version: Cauldron => 8
Assignee: smelror => qa-bugs
Whiteboard: MGA8TOO => (none)

David Walser 2022-01-18 00:00:16 CET

CC: (none) => smelror
Status comment: Fixed upstream in 4.6 => (none)

Comment 3 David Walser 2022-01-18 05:14:44 CET 
Update rejected by build system, looks like a build system problem.

Version: 8 => Cauldron
CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8TOO
Assignee: qa-bugs => smelror

Comment 4 Thomas Backlund 2022-01-18 07:43:06 CET 
And packaging error:

- libreswan-4.6-1.mga8.i586:
 - non-ghost-in-run /run/pluto


permission issues fixed on buildsystem
Comment 5 Thomas Backlund 2022-01-18 12:33:59 CET 
And I see another thing that dos not look right...

http://svnweb.mageia.org/packages?view=revision&revision=1768884

Here you removed the use of tmpfiles, which means /run/pluto wont be available after install or reboot of system...
Comment 6 Stig-Ørjan Smelror 2022-01-18 13:23:53 CET 
Thanks for spotting that, Thomas.

Fixed in 4.6-3.

Also thanks to Thierry for spotting a wrong requires.

Will update the advisory soon.
Comment 7 Stig-Ørjan Smelror 2022-01-18 13:29:57 CET 
Advisory
========

Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists.

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2022-23094
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt
https://www.debian.org/security/2022/dsa-5048

Files
=====

Uploaded to core/updates_testing

libreswan-4.6-2.mga8

from libreswan-4.6-2.mga8.src.rpm

Assignee: smelror => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 8 Stig-Ørjan Smelror 2022-01-18 14:02:41 CET 
Advisory
========

Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists.

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2022-23094
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt
https://www.debian.org/security/2022/dsa-5048

Files
=====

Uploaded to core/updates_testing

libreswan-4.6-3.mga8

from libreswan-4.6-3.mga8.src.rpm
Comment 9 Dave Hodgins 2022-01-18 21:59:19 CET 
A requested package cannot be installed:
libreswan-4.6-3.mga8.x86_64 (due to unsatisfied unbound-libs[>= 1.6.6])

Keywords: (none) => feedback
CC: (none) => davidwhodgins

Comment 10 David Walser 2022-01-18 23:22:21 CET 
Indeed, we don't hardcode library requires, as those are autogenerated.  Not all Fedora packagers have figured that out yet, so be careful copying from them.
Comment 11 Stig-Ørjan Smelror 2022-01-19 10:56:37 CET 
Advisory
========

Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists.

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2022-23094
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt
https://www.debian.org/security/2022/dsa-5048

Files
=====

Uploaded to core/updates_testing

libreswan-4.6-4.mga8

from libreswan-4.6-4.mga8.src.rpm
Dave Hodgins 2022-01-19 17:11:09 CET

Keywords: feedback => (none)

Comment 12 Herman Viaene 2022-01-24 16:00:57 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Ref bug 25065, no ill effects on my own LAN with own DNS server and NFS-shares.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 13 Thomas Andrews 2022-01-24 21:02:56 CET 
Validating. Advisory in Comment 11.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm

Dave Hodgins 2022-01-24 23:05:03 CET

Keywords: (none) => advisory

Comment 14 Mageia Robot 2022-01-25 13:14:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0030.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED