Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in net-vpn/strongswan: CVE-2018-5388 |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: net-vpn/strongswan Package Version: [cpe:/a:strongswan:strongswan:5.5.3] Advisory: CVE-2018-5388 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2018-5388 CVSS severity score: 4/10.0 Confidence: high Description: In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket.
,
Jul 10
So it looks like this bug was just recently discovered and only the current release of strongSwan (5.6.3) has the fix. Do we always just uprev to the most recent fixed version in this scenario or is it also a viable option to patch the affected code? Not sure if there are stability concerns with the bleeding-edge version
,
Jul 10
,
Jul 10
we leave it to the maintainers to make the call. usually we'll uprev if it's not a package we track and they tend to be stable, but if we're patching strongswan quite a bit and upgrades aren't trivial, backporting the patch is reasonable. especially since it sounds like this particular fix is simple.
,
Jul 11
briannorris@, kirtika@: I'm deferring to you folks on this one, although I've been working with some strongSwan patches in the recent past so let me know if you'd like me to see if I can backport this.
,
Jul 11
I know very little about strongswan. This patch looks extremely trivial to backport, so maybe that's easier. BTW, I don't even see a 5.6.3 ebuild in Gentoo yet. That makes it slightly more difficult to upgrade.
,
Jul 11
A simple cherry-pick of the upstream patch on top of 5.5.3 should be sufficient for this case: https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1133596
,
Jul 12
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/47a38321536da5b80636fa7878649569b1069e06 commit 47a38321536da5b80636fa7878649569b1069e06 Author: Ben Chan <benchan@chromium.org> Date: Thu Jul 12 09:33:21 2018 net-vpn/strongswan: verify message length in stroke plugin This CL cherry-picks the following upstream patch to strongswan 5.5.3: commit 0acd1ab4d08d53d80393b1a37b8781f6e7b2b996 Author: Tobias Brunner <tobias@strongswan.org> Date: Tue Mar 13 18:54:08 2018 +0100 stroke: Ensure a minimum message length BUG= chromium:862112 TEST=`emerge-$BOARD strongswan` TEST=Run network_VPNConnect.l2tpipsec_* tests Change-Id: Ia25878a6d3ca83d1fb99b03ff392050e3e06f066 Reviewed-on: https://chromium-review.googlesource.com/1133596 Commit-Ready: Ben Chan <benchan@chromium.org> Tested-by: Ben Chan <benchan@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> [add] https://crrev.com/47a38321536da5b80636fa7878649569b1069e06/net-vpn/strongswan/files/strongswan-5.5.3-stroke-Ensure-a-minimum-message-length.patch [rename] https://crrev.com/47a38321536da5b80636fa7878649569b1069e06/net-vpn/strongswan/strongswan-5.5.3-r8.ebuild [modify] https://crrev.com/47a38321536da5b80636fa7878649569b1069e06/net-vpn/strongswan/strongswan-5.5.3.ebuild
,
Jul 13
the cherry pick should fix this
,
Jul 14
,
Oct 20
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by vapier@chromium.org
, Jul 10Components: OS>Systems>Network
Owner: mortonm@chromium.org
Summary: CrOS: Vulnerability reported in net-vpn/strongswan: CVE-2018-5388 (was: CrOS: Vulnerability reported in net-vpn/strongswan)