Ubuntu
strongswan package

strongswan apparmor profile doesn't permit xauth-pam

Bug #1470277 reported by Eric Heydrick on 2015-06-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	strongswan (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

When using the strongswan xauth-pam plugin I get an error at startup regarding missing capabilities and the plugin doesn't load.

---
xauth-pam plugin requires CAP_AUDIT_WRITE capability
plugin 'xauth-pam': failed to load - xauth_pam_plugin_create returned NULL
---

If I add "capability audit_write," to /etc/apparmor.d/local/usr.lib.ipsec.charon it works. I would expect the plugin to work without modifying the local apparmor profile.

Package info:
  strongswan:
    Installed: 5.1.2-0ubuntu2.3
    Candidate: 5.1.2-0ubuntu2.3

  strongswan-plugin-xauth-pam:
    Installed: 5.1.2-0ubuntu2.3
    Candidate: 5.1.2-0ubuntu2.3

Ubuntu info:
Description: Ubuntu 14.04.2 LTS
Release: 14.04

CVE References

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-02-18:

Download full text (14.3 KiB)

This bug was fixed in the package strongswan - 5.3.5-1ubuntu1

---------------
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

This bug was fixed in the package strongswan - 5.3.5-1ubuntu1

---------------
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium

* debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable bliss plugin
  * debian/{rules,control,libstrongswan-extra-plugins.install}
    Enable chapoly plugin
  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
    Upstream suggests to not load this plugin by default as it has
    some limitations.
    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
  * debian/patches/increase-bliss-test-timeout.patch
    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
  * Update Apparmor profiles
    - usr.lib.ipsec.charon
      - add capability audit_write for xauth-pam (LP: #1470277)
      - add capability dac_override (needed by agent plugin)
      - allow priv dropping (LP: #1333655)
      - allow caching CRLs (LP: #1505222)
      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
    - usr.lib.ipsec.stroke
      - allow priv dropping (LP: #1333655)
      - add local include
    - usr.lib.ipsec.lookip
      - add local include
  * Merge from Debian, which includes fixes for all previous CVEs
    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
    Remaining changes:
      * debian/control
        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
        - Update Maintainer for Ubuntu
        - Add build-deps
          - dh-apparmor
          - iptables-dev
          - libjson0-dev
          - libldns-dev
          - libmysqlclient-dev
          - libpcsclite-dev
          - libsoup2.4-dev
          - libtspi-dev
          - libunbound-dev
        - Drop build-deps
          - libfcgi-dev
          - clearsilver-dev
        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
        - Set XS-Testsuite: autopkgtest
      * debian/rules:
        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
          tests.
        - Change init/systemd program name to strongswan
        - Install AppArmor profiles
        - Removed pieces on 'patching ipsec.conf' on build.
        - Enablement of features per Ubuntu current config suggested from
          upstream recommendation
        - Unpack and sort enabled features to one-per-line
        - Disable duplicheck as per
          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
        - Disable libfast (--disable-fast):
          Requires dropping medsrv, medcli plugins which depend on libfast
        - Add configure options
          --with-tss=trousers
        - Remove configure options:
          --enable-ha (requires special kernel)
          --enable-unit-test (unit tests run by default)
        - Drop logcheck install
      * debian/tests/*
        - Add DEP8 test for strongswan service and plugins
      * debian/strongswan-starter.strongswan.service
        - Add new systemd file instead of patching upstream
      * debian/strongswan-starter.links
        - removed, use Ubuntu systemd file instead of linking to upstream
      * debian/usr.lib.ipsec.{charon, lookip, stroke}
        - added AppArmor profiles for charon, lookip and stroke
      * debian/libcharon-extra-plugins.install
        - Add plugins
          - kernel-libipsec.{so, lib, conf, apparmor}
        - Remove plugins
          - libstrongswan-ha.so
        - Relocate plugins
          - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
      * debian/libstrongswan-extra-plugins.install
        - Add plugins (so, lib, conf)
          - acert
          - attr-sql
          - coupling
          - dnscert
          - fips-prf
          - gmp
          - ipseckey
          - load-tester
          - mysql
          - ntru
          - radattr
          - soup
          - sqlite
          - sql
          - systime-fix
          - unbound
          - whitelist
        - Relocate plugins (so, lib, conf)
          - ccm (libstrongswan.install)
          - test-vectors (libstrongswan.install)
      * debian/libstrongswan.install
        - Sort sections
        - Add plugins (so, lib, conf)
          - libchecksum
          - ccm
          - eap-identity
          - md4
          - test-vectors
      * debian/strongswan-charon.install
        - Add AppArmor profile for charon
      * debian/strongswan-starter.install
        - Add tools, manpages, conf
          - openac
          - pool
          - _updown_espmark
        - Add AppArmor profile for stroke
      * debian/strongswan-tnc-base.install
        - Add new subpackage for TNC
        - remove non-existent (dropped in 5.2.1) libpts library files
      * debian/strongswan-tnc-client.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-ifmap.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-pdp.install
        - Add new subpackage for TNC
      * debian/strongswan-tnc-server.install
        - Add new subpackage for TNC
      * debian/strongswan-starter.postinit:
        - Removed section about runlevel changes, it's almost 2014.
        - Adapted service restart section for Upstart.
        - Remove old symlinks to init.d files is necessary.
      * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
      * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
      * debian/strongswan-starter.prerm: Stop strongswan service on package
        removal (as opposed to using the old init.d script).
      * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
        - logcheck patterns updated to be helpful
      * debian/strongswan-starter.postinst: Removed further out-dated code and
        entire section on opportunistic encryption - this was never in strongSwan.
      * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
    Drop changes:
      * debian/control
        - Per-plugin package breakup: Reducing packaging delta from Debian
        - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
      * debian/watch: Already exists in Debian merge
      * debian/upstream/signing-key.asc:  Upstream has newer version.

strongswan (5.3.5-1) unstable; urgency=medium

* New upstream bugfix release.

strongswan (5.3.4-1) unstable; urgency=medium

* New upstream release.
  * debian/patches:
    - 03_systemd-service refreshed for new upstream release.
    - 0001-socket-default-Refactor-setting-source-address-when-,
    0001-socket-dynamic-Refactor-setting-source-address-when- and
    CVE-2015-8023_eap_mschapv2_state dropped, included upstream.

strongswan (5.3.3-3) unstable; urgency=high

* Set urgency=high for security fix.
  * debian/patches:
    - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
    using EAP MSCHAPv2.

strongswan (5.3.3-2) unstable; urgency=medium

* debian/rules:
    - make the dh_install override arch-dependent only since it only acts on
    arch:any packages, fix FTBFS on arch:all.

strongswan (5.3.3-1) unstable; urgency=medium

* debian/rules:
    - enable the connmark plugin.
  * debian/control:
    - add build-dep on iptables-dev.
  * debian/libstrongswan-standard-plugins:
    - add connmark plugin to the standard-plugins package.
  * New upstream release.                                       closes: #803772
  * debian/strongswan-starter.install:
    - install new pki --dn manpage to ipsec-starter package.
  * debian/patches:
    - 0001-socket-default-Refactor-setting-source-address-when- and
    0001-socket-dynamic-Refactor-setting-source-address-when- added (taken
    from c761db and 9e8b4a in the 1171-socket-default-scope branch), fix
    source address selection with IPv6 (upstream #1171)

strongswan (5.3.2-1) unstable; urgency=medium

* New upstream release.
  * debian/patches:
    - 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
    - CVE-2015-4171_enforce_remote_auth dropped as well.

strongswan (5.3.1-1) unstable; urgency=high

* New upstream release.
  * debian/patches:
    - strongswan-5.2.2-5.3.0_unknown_payload dropped, included upstream.
    - 05_ivgen-allow-reusing-same-message-id-twice added, allow reusing the
    same message ID twice in sequential IV gen. strongSwan issue #980.
    - CVE-2015-4171_enforce_remote_auth added, fix potential leak of
    authentication credential to rogue server when using PSK or EAP. This is
    CVE-2015-4171.

strongswan (5.3.0-2) unstable; urgency=medium

* debian/patches:
    - strongswan-5.2.2-5.3.0_unknown_payload added, fixes a DoS and potential
      remote code execution vulnerability (CVE-2015-3991).
  * debian/strongswan-starter.lintian-overrides: add override for
    command-with-path-in-maintainer-script since it's there to check for file
    existence.
  * Upload to unstable.

strongswan (5.3.0-1) experimental; urgency=medium

* New upstream release.
  * debian/patches:
    - 01_fix-manpages refreshed for new upstream release.
    - 02_chunk-endianness dropped, included upstream.
    - CVE-2014-9221_modp_custom dropped, included upstream.
  * debian/strongswan-starter.install
    - don't install the _updown and _updown_espmark manpages anymore, they're
    gone.
    - also remove the _updown_espmark script, gone too.
  * debian/copyright updated.

strongswan (5.2.1-6) unstable; urgency=medium

* Ship /lib/systemd/system/ipsec.service as a symlink to
    strongswan.service in strongswan-starter instead of using Alias= in
    the service file. This makes the ipsec name available to invoke-rc.d
    before the service gets actually enabled, which avoids some confusion
    (closes: #781209).

strongswan (5.2.1-5) unstable; urgency=high

* debian/patches:
    - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
    denial of service in IKEv2 when using custom MODP value.

strongswan (5.2.1-4) unstable; urgency=medium

* Give up on trying to run the test suite on !amd64, it now times out on
    both i386 and s390x, our chosen "fast" archs.

strongswan (5.2.1-3) unstable; urgency=medium

* Disable libtls tests again, they are still too intensive for the buildd
    network...

strongswan (5.2.1-2) unstable; urgency=medium

* Cherry-pick commits 701d6ed and 1c70c6e from upstream to fix checksum
    computation and FTBFS on big-endian hosts.
  * Run the test suite only on amd64, i386, and s390x. It requires lots of
    entropy and CPU time, which are typically hard to come by on slower
    archs.
  * Re-enable normal keylengths in test suite.
  * Re-enable libtls tests.
  * Update Dutch translation, thanks to Frans Spiesschaert (closes: #763798).
  * Bump Standards-Version to 3.9.6.

strongswan (5.2.1-1) unstable; urgency=medium

* New upstream release.
  * Stop shipping /etc/strongswan.conf.d in libstrongswan.

strongswan (5.2.0-2) unstable; urgency=medium

* Add systemd integration:
    + Install upstream systemd service file in strongswan-starter.
    + Alias strongswan.service to ipsec.service to match the sysv init script.
    + Drop After=syslog.target (as syslog is socket-activated nowadays), but
      add After=network.target to ensure that charon gets the chance to send
      deletes on exit.
    + Add ExecReload for reload action, since the starter script has one.
    + On linux-any, add build-dep on systemd to ensure that the pkg-config
      metadata file can be found.
    + Add build-dep on dh-systemd, and use systemd dh addon.
  * Remove debian/patches/03_include-stdint.patch.

strongswan (5.2.0-1) unstable; urgency=medium

* New upstream release.
  [ Romain Francoise ]
  * Amend build-dep on libgcrypt to 'libgcrypt20-dev | libgcrypt11-dev'.
  * Drop hardening-wrapper from build-depends (unused since 5.0.4-1).

[ Yves-Alexis Perez ]
  * debian/po:
    - pt_BR.po updated, thanks Adriano Rafael Gomes.            closes: #752721
  * debian/patches:
    03_pfkey-Always-include-stdint.h dropped, included upstream.
  * debian/strongswan-starter.install:
    - replace tools.conf by pki.conf and scepclient.conf.

strongswan (5.1.3-4) unstable; urgency=medium

* debian/control:
    - add build-dep on pkg-config.
  * debian/patches:
    - 03_pfkey-Always-include-stdint.h added, cherry-picked from upstream git:
      always include of stdint.h. Fix FTBFS on kFreeBSD.

strongswan (5.1.3-3) unstable; urgency=medium

* debian/watch:
    - add pgpsigurlmangle to get PGP signature
  * debian/upstream/signing-key.asc:
    - bootstrap keyring by adding Andreas Steffen key (0xDF42C170B34DBA77)
  * debian/control:
    - add build-dep on libgcrypt20-dev, fix FTBFS.              closes: #747796

strongswan (5.1.3-2) unstable; urgency=low

* Disable the new libtls test suite for now--it appears to be a
    little too intensive for slower archs.

strongswan (5.1.3-1) unstable; urgency=low

* New upstream release.
  * debian/control: make strongswan-charon depend on iproute2 | iproute,
    thanks to Ryo IGARASHI <rigarash@gmail.com> (closes: #744832).

strongswan (5.1.2-4) unstable; urgency=high

* debian/patches/04_cve-2014-2338.patch: added to fix CVE-2014-2338
    (authentication bypass vulnerability in IKEv2 code).
  * debian/control: add myself to Uploaders.

strongswan (5.1.2-3) unstable; urgency=medium

* debian/patches/
    - 02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b  added, fix
    testsuite failing on 64 bit big-endian platforms (s390x).
    - 03_unit-tests-Fix-chunk-clear-armel added, fix testsuite failing on
    armel.

strongswan (5.1.2-2) unstable; urgency=medium

* debian/rules:
    - use reduced keylengths in testsuite on various arches, hopefully fixing
      FTBFS when the genrsa test runs.

strongswan (5.1.2-1) unstable; urgency=medium

* New upstream release.
  * debian/control:
    - add conflicts against openSwan.                           closes: #740808
  * debian/strongswan-starter,postrm:
    - remove /var/lib/strongswan on purge.
  * debian/ipsec.secrets.proto:
    - stop lying about ipsec showhostkey command.               closes: #600382
  * debian/patches:
    - 01_fix-manpages refreshed for new upstream.
    - 02_include-strongswan.conf.d removed, strongswan.d is now supported
      upstream.
  * debian/rules, debian/*.install:
    - install default configuration files for all plugins.
  * debian/NEWS:
    - fix spurious entry.
    - add a NEWS entry to advertise about the new strongswan.d configuration
      mechanism.

-- Ryan Harper <ryan.harper@canonical.com>  Fri, 12 Feb 2016 11:24:53 -0600

Changed in strongswan (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #718291
[open wishlist] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntustrongswan package