From owner-freebsd-security@FreeBSD.ORG  Wed Feb  6 20:54:56 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ACD9816A41A
	for <freebsd-security@freebsd.org>;
	Wed,  6 Feb 2008 20:54:56 +0000 (UTC) (envelope-from mohacsi@niif.hu)
Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241])
	by mx1.freebsd.org (Postfix) with ESMTP id 89C0413C469
	for <freebsd-security@freebsd.org>;
	Wed,  6 Feb 2008 20:54:54 +0000 (UTC) (envelope-from mohacsi@niif.hu)
Received: from localhost (localhost [IPv6:::1])
	by mail.ki.iif.hu (Postfix) with ESMTP id 6486184AC8
	for <freebsd-security@freebsd.org>;
	Wed,  6 Feb 2008 21:54:52 +0100 (CET)
X-Virus-Scanned: by amavisd-new at mignon.ki.iif.hu
Received: from mail.ki.iif.hu ([127.0.0.1])
	by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id J1mmjLDhCH05 for <freebsd-security@freebsd.org>;
	Wed,  6 Feb 2008 21:54:49 +0100 (CET)
Received: by mail.ki.iif.hu (Postfix, from userid 9002)
	id D171B84A83; Wed,  6 Feb 2008 21:54:48 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by mail.ki.iif.hu (Postfix) with ESMTP id D04C384A34
	for <freebsd-security@freebsd.org>;
	Wed,  6 Feb 2008 21:54:48 +0100 (CET)
Date: Wed, 6 Feb 2008 21:54:48 +0100 (CET)
From: Mohacsi Janos <mohacsi@niif.hu>
X-X-Sender: mohacsi@mignon.ki.iif.hu
To: freebsd-security@freebsd.org
Message-ID: <20080206215314.Y20917@mignon.ki.iif.hu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: What about FreeBSD? - KAME Project "ipcomp6_input()" Denial of
 Service 
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2008 20:54:56 -0000


TITLE:
KAME Project "ipcomp6_input()" Denial of Service

CRITICAL:
Moderately critical

IMPACT:
DoS

WHERE:
>From remote

DESCRIPTION:
A vulnerability has been reported in the KAME Project, which can be
exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the
"ipcomp6_input()" function in kame/sys/netinet6/ipcomp_input.c when
processing IPv6 packets with an IPComp header. This can be exploited
to crash a vulnerable system by sending a specially crafted IPv6
packet.

SOLUTION:
Fixed in the CVS repository.
http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37

PROVIDED AND/OR DISCOVERED BY:
US-CERT credits Shoichi Sakane.
NetBSD credits the Coverity Prevent analysis tool.

ORIGINAL ADVISORY:
US-CERT VU#110947:
http://www.kb.cert.org/vuls/id/110947