CVE-2022-23094

NameCVE-2022-23094
DescriptionLibreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5048-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreswan (PTS)bullseye4.3-1+deb11u4fixed
bullseye (security)4.3-1+deb11u3fixed
bookworm4.10-2+deb12u1fixed
forky, sid, trixie5.2-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libreswansourcebuster(not affected)
libreswansourcebullseye4.3-1+deb11u1DSA-5048-1
libreswansource(unstable)4.6-1

Notes

[buster] - libreswan <not-affected> (Vulnerable code introduced in 4.2)
https://github.com/libreswan/libreswan/issues/585
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094-libreswan-4.2-4.3.patch (4.2-4.3)
https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094-libreswan-4.4-4.5.patch (4.4-4.5)
Search for package or bug name: Reporting problems