From ed54a2e9856659f200add52a6ac8667ef5fa7f7ea1116c91593c2dee7e970836 Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Thu, 2 Apr 2009 16:51:38 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=10

---
 ...8-rpmlintrc => strongswan-4.2.14-rpmlintrc |  1 -
 strongswan-4.2.14.tar.bz2                     |  3 ++
 strongswan-4.2.14.tar.bz2.sig                 |  9 ++++
 strongswan-4.2.8.dif                          | 11 ----
 strongswan-4.2.8.tar.bz2                      |  3 --
 strongswan-4.2.8.tar.bz2.sig                  |  9 ----
 strongswan.changes                            | 27 ++++++++++
 strongswan.spec                               | 38 +++++++++++---
 strongswan_modprobe_syslog.dif                | 50 ++++++++++++++-----
 9 files changed, 106 insertions(+), 45 deletions(-)
 rename strongswan-4.2.8-rpmlintrc => strongswan-4.2.14-rpmlintrc (99%)
 create mode 100644 strongswan-4.2.14.tar.bz2
 create mode 100644 strongswan-4.2.14.tar.bz2.sig
 delete mode 100644 strongswan-4.2.8.dif
 delete mode 100644 strongswan-4.2.8.tar.bz2
 delete mode 100644 strongswan-4.2.8.tar.bz2.sig

diff --git a/strongswan-4.2.8-rpmlintrc b/strongswan-4.2.14-rpmlintrc
similarity index 99%
rename from strongswan-4.2.8-rpmlintrc
rename to strongswan-4.2.14-rpmlintrc
index 03587c4..9db070f 100644
--- a/strongswan-4.2.8-rpmlintrc
+++ b/strongswan-4.2.14-rpmlintrc
@@ -1,4 +1,3 @@
 addFilter('strongswan.* shlib-policy-missing-suffix')
 addFilter("strongswan.* incoherent-init-script-name ipsec")
 addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins")
-
diff --git a/strongswan-4.2.14.tar.bz2 b/strongswan-4.2.14.tar.bz2
new file mode 100644
index 0000000..b1ebaaf
--- /dev/null
+++ b/strongswan-4.2.14.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4b9acc7a8d3f8b5b715472375d8f5baea92656a427352a9c40d898075230e09a
+size 2740464
diff --git a/strongswan-4.2.14.tar.bz2.sig b/strongswan-4.2.14.tar.bz2.sig
new file mode 100644
index 0000000..bbbb85d
--- /dev/null
+++ b/strongswan-4.2.14.tar.bz2.sig
@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iQCVAwUASc5e/tYbDnNAmVNZAQJZewP/Y6KYLbebalL3GNjqANG5hB7k/xSjIuSX
+txhYdqmYxKQhe9F4nd0/LGpuco+pBzT2d7evUoANUnytNPH4YBAq+6xKNnuCwAth
+LnqgfxFhp2Hn+IUrRDztD+Cl9wQqVzf3ld/mCGNY0epnMrvRvOhSPW+k8b2t3Hxn
+O5Jh906OVbI=
+=P088
+-----END PGP SIGNATURE-----
diff --git a/strongswan-4.2.8.dif b/strongswan-4.2.8.dif
deleted file mode 100644
index f44b766..0000000
--- a/strongswan-4.2.8.dif
+++ /dev/null
@@ -1,11 +0,0 @@
---- scripts/thread_analysis.c
-+++ scripts/thread_analysis.c	2008/08/28 07:41:27
-@@ -102,7 +102,7 @@
- 	fd = fopen(LOGFILE, "r");
- 	if (!fd)
- 	{
--		printf("could not open log file '%s'\n");
-+		printf("could not open log file '%s'\n", LOGFILE);
- 		return 1;
- 	}
- 
diff --git a/strongswan-4.2.8.tar.bz2 b/strongswan-4.2.8.tar.bz2
deleted file mode 100644
index 95de870..0000000
--- a/strongswan-4.2.8.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3e5a291857d55dfa530d5618e27a9fd17d0fd1e9d24023199a46466f76a6b687
-size 2906030
diff --git a/strongswan-4.2.8.tar.bz2.sig b/strongswan-4.2.8.tar.bz2.sig
deleted file mode 100644
index 0eeec92..0000000
--- a/strongswan-4.2.8.tar.bz2.sig
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.6 (GNU/Linux)
-
-iQCVAwUASPP38NYbDnNAmVNZAQK+AQP9EZ6yw3ru3RpRiR04qH4asitAF/bxGOLb
-O5ZZrbdedw4zC9gXZI3zmCgxO8t5RQA3JjtlsUtSkITAVhhxoyQb3LLg+8dtF3EN
-+eawBteUG7xRl6Y+y3ESLwQ0Voma6FijN3GpqKFh7TJeFP+gSsV9Q0iZvDBxlCa/
-uVCvhbq+dcc=
-=H4YY
------END PGP SIGNATURE-----
diff --git a/strongswan.changes b/strongswan.changes
index 4df7e0e..6339e96 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Tue Mar 31 11:19:03 CEST 2009 - mt@suse.de
+
+- Updated to strongSwan 4.2.14 release that fixes a grave DPD
+  denial of service vulnerability registered as CVE-2009-0790,
+  that had been slumbering in the code for many years:
+  * A vulnerability in the Dead Peer Detection (RFC 3706) code
+    was found by Gerd v. Egidy <gerd.von.egidy@intra2net.com> of
+    Intra2net AG affecting all Openswan and strongSwan releases.
+    A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
+    Dead Peer Detection packet can cause the pluto IKE daemon to
+    crash and restart. No authentication or encryption is required
+    to trigger this bug. One spoofed UDP packet can cause the pluto
+    IKE daemon to restart and be unresponsive for a few seconds
+    while restarting. This DPD null state vulnerability has been
+    officially registered as CVE-2009-0790 and is fixed by this
+    release.
+  * The new server-side EAP RADIUS plugin (--enable-eap-radius)
+    relays EAP messages to and from a RADIUS server. Succesfully
+    tested with with a freeradius server using EAP-MD5 and EAP-SIM.
+  * ASN.1 to time_t conversion caused a time wrap-around for dates
+    after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
+    As a workaround such dates are set to the maximum representable
+    time, i.e. Jan 19 03:14:07 UTC 2038.
+  * Distinguished Names containing wildcards (*) are not sent in the
+    IDr payload anymore. 
+
 -------------------------------------------------------------------
 Mon Oct 20 09:27:06 CEST 2008 - mt@suse.de
 
diff --git a/strongswan.spec b/strongswan.spec
index 21f26e3..dbfb38a 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,7 +1,7 @@
 #
-# spec file for package strongswan (Version 4.2.8)
+# spec file for package strongswan (Version 4.2.14)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,9 +19,9 @@
 
 
 Name:           strongswan
-%define         upstream_version 4.2.8
+%define         upstream_version 4.2.14
 %define         strongswan_docdir %{_docdir}/%{name}
-Version:        4.2.8
+Version:        4.2.14
 Release:        1
 License:        GPL v2 or later
 Group:          Productivity/Networking/Security
@@ -38,8 +38,7 @@ Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.ta
 Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Patch1:         %{name}_modprobe_syslog.dif
-Patch2:         %{name}-%{upstream_version}.dif
-Patch3:         %{name}_update-dns-server.dif
+Patch2:         %{name}_update-dns-server.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 %if 0%{?suse_version} >= 1030
@@ -136,7 +135,6 @@ Authors:
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
 %patch2 -p0
-%patch3 -p0
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -269,6 +267,30 @@ fi
 %{_mandir}/man8/starter.8*
 
 %changelog
+* Tue Mar 31 2009 mt@suse.de
+- Updated to strongSwan 4.2.14 release that fixes a grave DPD
+  denial of service vulnerability registered as CVE-2009-0790,
+  that had been slumbering in the code for many years:
+  * A vulnerability in the Dead Peer Detection (RFC 3706) code
+  was found by Gerd v. Egidy <gerd.von.egidy@intra2net.com> of
+  Intra2net AG affecting all Openswan and strongSwan releases.
+  A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
+  Dead Peer Detection packet can cause the pluto IKE daemon to
+  crash and restart. No authentication or encryption is required
+  to trigger this bug. One spoofed UDP packet can cause the pluto
+  IKE daemon to restart and be unresponsive for a few seconds
+  while restarting. This DPD null state vulnerability has been
+  officially registered as CVE-2009-0790 and is fixed by this
+  release.
+  * The new server-side EAP RADIUS plugin (--enable-eap-radius)
+  relays EAP messages to and from a RADIUS server. Succesfully
+  tested with with a freeradius server using EAP-MD5 and EAP-SIM.
+  * ASN.1 to time_t conversion caused a time wrap-around for dates
+  after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
+  As a workaround such dates are set to the maximum representable
+  time, i.e. Jan 19 03:14:07 UTC 2038.
+  * Distinguished Names containing wildcards (*) are not sent in the
+  IDr payload anymore.
 * Mon Oct 20 2008 mt@suse.de
 - Updated to 4.2.8 release:
   * IKEv2 charon daemon supports authentication based on raw public
@@ -360,7 +382,7 @@ fi
 - Added patch adding a missed file name argument in printf call in the
   scripts/thread_analysis.c file -- resulting binary is not installed.
 - Removed obsolete patches crash_badcfg_reload and old-caps-version.
-* Tue Jul 01 2008 mt@suse.de
+* Mon Jun 30 2008 mt@suse.de
 - Added fix that explicitly enables version 1 linux capabilities
   on version 2 systems to aviod that the charon and pluto daemons
   exit because of failed capset call (bnc#404989).
diff --git a/strongswan_modprobe_syslog.dif b/strongswan_modprobe_syslog.dif
index 0ecfe7b..4593aa8 100644
--- a/strongswan_modprobe_syslog.dif
+++ b/strongswan_modprobe_syslog.dif
@@ -1,11 +1,35 @@
+--- src/starter/klips.c
++++ src/starter/klips.c	2009/03/23 10:46:01
+@@ -36,7 +36,7 @@ starter_klips_init(void)
+ 	/* ipsec module makes the pf_key proc interface visible */
+ 	if (stat(PROC_MODULES, &stb) == 0)
+ 	{
+-	    ignore_result(system("modprobe -qv ipsec"));
++	    ignore_result(system("modprobe -a ipsec"));
+ 	}
+ 
+ 	/* now test again */
+@@ -50,9 +50,9 @@ starter_klips_init(void)
+     }
+     
+     /* load crypto algorithm modules */
+-    ignore_result(system("modprobe -qv ipsec_aes"));
+-    ignore_result(system("modprobe -qv ipsec_blowfish"));
+-    ignore_result(system("modprobe -qv ipsec_sha2"));
++    ignore_result(system("modprobe -s ipsec_aes"));
++    ignore_result(system("modprobe -s ipsec_blowfish"));
++    ignore_result(system("modprobe -s ipsec_sha2"));
+ 
+     DBG(DBG_CONTROL,
+ 	DBG_log("Found KLIPS IPsec stack")
 --- src/starter/netkey.c
-+++ src/starter/netkey.c	2007/12/06 09:05:30
++++ src/starter/netkey.c	2009/03/23 10:46:34
 @@ -36,7 +36,7 @@ starter_netkey_init(void)
  	/* af_key module makes the netkey proc interface visible */
  	if (stat(PROC_MODULES, &stb) == 0)
  	{
--	    system("modprobe -qv af_key");
-+	    system("modprobe -s af_key");
+-	    ignore_result(system("modprobe -qv af_key"));
++	    ignore_result(system("modprobe -s af_key"));
  	}
  
  	/* now test again */
@@ -13,16 +37,16 @@
      /* make sure that all required IPsec modules are loaded */
      if (stat(PROC_MODULES, &stb) == 0)
      {
--	system("modprobe -qv ah4");
--	system("modprobe -qv esp4");
--	system("modprobe -qv ipcomp");
--	system("modprobe -qv xfrm4_tunnel");
--	system("modprobe -qv xfrm_user");
-+	system("modprobe -s ah4");
-+	system("modprobe -s esp4");
-+	system("modprobe -s ipcomp");
-+	system("modprobe -s xfrm4_tunnel");
-+	system("modprobe -s xfrm_user");
+-	ignore_result(system("modprobe -qv ah4"));
+-	ignore_result(system("modprobe -qv esp4"));
+-	ignore_result(system("modprobe -qv ipcomp"));
+-	ignore_result(system("modprobe -qv xfrm4_tunnel"));
+-	ignore_result(system("modprobe -qv xfrm_user"));
++	ignore_result(system("modprobe -s ah4"));
++	ignore_result(system("modprobe -s esp4"));
++	ignore_result(system("modprobe -s ipcomp"));
++	ignore_result(system("modprobe -s xfrm4_tunnel"));
++	ignore_result(system("modprobe -s xfrm_user"));
      }
  
      DBG(DBG_CONTROL,