New issue
Advanced search Search tips

Issue 874416 link

Starred by 1 user
Status: Fixed
Owner:
mnissler@chromium.org
Closed: Aug 16
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

CrOS: Vulnerability reported in net-vpn/strongswan

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Aug 15 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: net-vpn/strongswan
Package Version: [cpe:/a:strongswan:strongswan:5.5.3]

Advisory: CVE-2018-10811
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2018-10811
  CVSS severity score: 5/10.0
  Confidence: high
  Description:

strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.

Comment 1 by mnissler@chromium.org, Aug 15

Components: OS>Systems>Network
Labels: Security_Impact-None Security_Severity-Low
Owner: mnissler@chromium.org
Status: Started (was: Untriaged)
DoS only (crash) -> Severity_Low
Only reachable with openssl in FIPS mode, which our build disables -> Impact_None

Should probably still upgrade strongswan for good measure, I'll give it a shot.
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 16 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/97313128b3c055f96bc9238b21f37682eea8a10d

commit 97313128b3c055f96bc9238b21f37682eea8a10d
Author: Mattias Nissler <mnissler@chromium.org>
Date: Thu Aug 16 20:14:47 2018

net-vpn/strongswan: Add patch for CVE-2018-10811

This adds the patch from upstream for the 5.5.3 release.

BUG= chromium:874416 
TEST=Builds and passes network_VPNConnect.l2tpipsec_{psk,cert,xauth}

Change-Id: Ibcac4a905e064c330eae552f6dd37cdb34ab9f59
Reviewed-on: https://chromium-review.googlesource.com/1176088
Commit-Ready: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>

[add] https://crrev.com/97313128b3c055f96bc9238b21f37682eea8a10d/net-vpn/strongswan/files/strongswan-5.5.3-fix-cve-2018-10811.patch
[rename] https://crrev.com/97313128b3c055f96bc9238b21f37682eea8a10d/net-vpn/strongswan/strongswan-5.5.3-r9.ebuild
[modify] https://crrev.com/97313128b3c055f96bc9238b21f37682eea8a10d/net-vpn/strongswan/strongswan-5.5.3.ebuild

Comment 3 by mnissler@chromium.org, Aug 16

Status: Fixed (was: Started)
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 17

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 23

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment