rpms/openswan/F-10 openswan-2.6-initscript-correction.patch, NONE, 1.1 openswan-2.6.22-CVE-2009-2185.patch, NONE, 1.1 openswan-2.6.22-selinux.patch, NONE, 1.1 .cvsignore, 1.26, 1.27 openswan.spec, 1.73, 1.74 sources, 1.25, 1.26 openswan-2.6-noxmlto.patch, 1.1, NONE openswan-2.6-selinux.patch, 1.1, NONE openswan-2.6.16-initscript-correction.patch, 1.1, NONE openswan-2.6.21-CVE-2009-2185.patch, 1.1, NONE
avesh agarwal
avesh at fedoraproject.org
Thu Sep 10 17:01:38 UTC 2009
Author: avesh
Update of /cvs/pkgs/rpms/openswan/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16702
Modified Files:
.cvsignore openswan.spec sources
Added Files:
openswan-2.6-initscript-correction.patch
openswan-2.6.22-CVE-2009-2185.patch
openswan-2.6.22-selinux.patch
Removed Files:
openswan-2.6-noxmlto.patch openswan-2.6-selinux.patch
openswan-2.6.16-initscript-correction.patch
openswan-2.6.21-CVE-2009-2185.patch
Log Message:
* Thu Sep 10 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.22-1
- New upstream release
- Openswan ASN.1 parser vulnerability (CVE-2009-2185)
openswan-2.6-initscript-correction.patch:
setup.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE openswan-2.6-initscript-correction.patch ---
--- openswan-2.6.22-orig/programs/setup/setup.in 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2.6.22/programs/setup/setup.in 2009-09-10 11:48:23.395338383 -0400
@@ -39,7 +39,7 @@
# times of NFS filesystem startup/shutdown). Startup is after startup of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.
#
-# chkconfig: 2345 47 76
+# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
openswan-2.6.22-CVE-2009-2185.patch:
asn1.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- NEW FILE openswan-2.6.22-CVE-2009-2185.patch ---
--- openswan-2.6.22/lib/libopenswan/asn1.c 2009-06-22 22:53:08.000000000 -0400
+++ openswan-2/lib/libopenswan/asn1.c 2009-08-17 14:07:00.153981683 -0400
@@ -76,8 +76,15 @@ asn1_length(chunk_t *blob)
n = *blob->ptr++;
blob->len--;
- if ((n & 0x80) == 0) /* single length octet */
+ if ((n & 0x80) == 0) { /* single length octet */
+ if (n > blob->len) {
+ DBG(DBG_PARSING,
+ DBG_log("number of length octets is larger than ASN.1 object")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
return n;
+ }
/* composite length, determine number of length octets */
n &= 0x7f;
@@ -243,7 +250,6 @@ asn1totime(const chunk_t *utctime, asn1_
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
{
return 0; /* error in positive timezone offset format */
@@ -411,7 +417,7 @@ extract_object(asn1Object_t const *objec
blob1->len = asn1_length(blob);
- if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ if (blob1->len == ASN1_INVALID_LENGTH)
{
DBG(DBG_PARSING,
DBG_log("L%d - %s: length of ASN1 object invalid or too large",
openswan-2.6.22-selinux.patch:
verify.in | 12 ------------
1 file changed, 12 deletions(-)
--- NEW FILE openswan-2.6.22-selinux.patch ---
--- openswan-2.6.22-orig/programs/verify/verify.in 2009-06-23 04:53:08.000000000 +0200
+++ openswan-2.6.22/programs/verify/verify.in 2009-07-09 23:50:15.000000000 +0200
@@ -262,18 +262,6 @@ sub installstartcheck {
} else { warnchk "","UNKNOWN"; }
}
- if ( -e "/selinux/enforce") {
- printfun "Testing against enforced SElinux mode";
- open("cat", "/selinux/enforce");
- if(<cat> == "1")
- {
- errchk "";
- print "\n SElinux is running in 'enforced' mode. Since no working SElinux\n policies exist for Openswan, SElinux should be disabled.\n";
- print "\n echo \"0\" > /selinux/enforce (or edit /etc/sysconfig/selinux)\n\n";
- }
- else { errchk "1"; }
- }
-
if ( -c "/dev/hw_random" || -c "/dev/hwrng" ) {
printfun "Hardware RNG detected, testing if used properly";
run "pidof rngd";
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-10/.cvsignore,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -p -r1.26 -r1.27
--- .cvsignore 30 Mar 2009 16:28:43 -0000 1.26
+++ .cvsignore 10 Sep 2009 17:01:36 -0000 1.27
@@ -10,3 +10,4 @@ openswan-2.6.16.tar.gz
openswan-2.6.18.tar.gz
openswan-2.6.19.tar.gz
openswan-2.6.21.tar.gz
+openswan-2.6.22.tar.gz
Index: openswan.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-10/openswan.spec,v
retrieving revision 1.73
retrieving revision 1.74
diff -u -p -r1.73 -r1.74
--- openswan.spec 6 Jul 2009 15:14:57 -0000 1.73
+++ openswan.spec 10 Sep 2009 17:01:37 -0000 1.74
@@ -1,8 +1,8 @@
Summary: Openswan IPSEC implementation
Name: openswan
-Version: 2.6.21
+Version: 2.6.22
-Release: 2%{?dist}
+Release: 1%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -11,9 +11,9 @@ Source2: ipsec.conf
Patch1: openswan-2.6.16-examples.patch
Patch2: openswan-2.6-relpath.patch
-Patch3: openswan-2.6-selinux.patch
-Patch4: openswan-2.6.16-initscript-correction.patch
-Patch5: openswan-2.6.21-CVE-2009-2185.patch
+Patch3: openswan-2.6.22-selinux.patch
+Patch4: openswan-2.6-initscript-correction.patch
+Patch5: openswan-2.6.22-CVE-2009-2185.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -151,6 +151,10 @@ fi
chkconfig --add ipsec || :
%changelog
+* Thu Sep 10 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.22-1
+- New upstream release
+- Openswan ASN.1 parser vulnerability (CVE-2009-2185)
+
* Mon Jul 06 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-2
- Openswan ASN.1 parser vulnerability (CVE-2009-2185)
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-10/sources,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -p -r1.25 -r1.26
--- sources 30 Mar 2009 16:28:43 -0000 1.25
+++ sources 10 Sep 2009 17:01:37 -0000 1.26
@@ -1 +1 @@
-ba9da6c90e0f5fe856767d7510ce371f openswan-2.6.21.tar.gz
+9a30009bade8a1b09fba27680c87cf72 openswan-2.6.22.tar.gz
--- openswan-2.6-noxmlto.patch DELETED ---
--- openswan-2.6-selinux.patch DELETED ---
--- openswan-2.6.16-initscript-correction.patch DELETED ---
--- openswan-2.6.21-CVE-2009-2185.patch DELETED ---
More information about the fedora-extras-commits
mailing list