diff --git a/CVE-2022-40617.patch b/CVE-2022-40617.patch new file mode 100644 index 0000000000000000000000000000000000000000..b68a48e3c263199697a440aa464bff56ed7686bb --- /dev/null +++ b/CVE-2022-40617.patch @@ -0,0 +1,137 @@ +From: Tobias Brunner +Date: Fri, 22 Jul 2022 15:37:43 +0200 +Subject: CVE-2022-40617 + +--- + src/libstrongswan/credentials/credential_manager.c | 54 ++++++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c +index 15f3f7b..328e35e 100644 +--- a/src/libstrongswan/credentials/credential_manager.c ++++ b/src/libstrongswan/credentials/credential_manager.c +@@ -555,7 +555,7 @@ static void cache_queue(private_credential_manager_t *this) + */ + static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + time_t not_before, not_after; + cert_validator_t *validator; +@@ -570,7 +570,7 @@ static bool check_lifetime(private_credential_manager_t *this, + continue; + } + status = validator->check_lifetime(validator, cert, +- pathlen, trusted, auth); ++ pathlen, anchor, auth); + if (status != NEED_MORE) + { + break; +@@ -603,13 +603,13 @@ static bool check_lifetime(private_credential_manager_t *this, + */ + static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, bool online, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || +- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) ++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) + { + return FALSE; + } +@@ -622,7 +622,7 @@ static bool check_certificate(private_credential_manager_t *this, + continue; + } + if (!validator->validate(validator, subject, issuer, +- online, pathlen, trusted, auth)) ++ online, pathlen, anchor, auth)) + { + enumerator->destroy(enumerator); + return FALSE; +@@ -725,6 +725,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth_cfg_t *auth; + signature_params_t *scheme; + int pathlen; ++ bool is_anchor = FALSE; + + auth = auth_cfg_create(); + get_key_strength(subject, auth); +@@ -742,7 +743,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); +- trusted = TRUE; ++ trusted = is_anchor = TRUE; + } + else + { +@@ -777,11 +778,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, " issuer is \"%Y\"", + current->get_issuer(current)); + call_hook(this, CRED_HOOK_NO_ISSUER, current); ++ if (trusted) ++ { ++ DBG1(DBG_CFG, " reached end of incomplete trust chain for " ++ "trusted certificate \"%Y\"", ++ subject->get_subject(subject)); ++ } + break; + } + } +- if (!check_certificate(this, current, issuer, online, +- pathlen, trusted, auth)) ++ /* don't do online verification here */ ++ if (!check_certificate(this, current, issuer, FALSE, ++ pathlen, is_anchor, auth)) + { + trusted = FALSE; + issuer->destroy(issuer); +@@ -793,7 +801,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + } + current->destroy(current); + current = issuer; +- if (trusted) ++ if (is_anchor) + { + DBG1(DBG_CFG, " reached self-signed root ca with a " + "path length of %d", pathlen); +@@ -806,6 +814,34 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); + } ++ else if (trusted && online) ++ { ++ enumerator_t *enumerator; ++ auth_rule_t rule; ++ ++ /* do online revocation checks after basic validation of the chain */ ++ pathlen = 0; ++ current = subject; ++ enumerator = auth->create_enumerator(auth); ++ while (enumerator->enumerate(enumerator, &rule, &issuer)) ++ { ++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) ++ { ++ if (!check_certificate(this, current, issuer, TRUE, pathlen++, ++ rule == AUTH_RULE_CA_CERT, auth)) ++ { ++ trusted = FALSE; ++ break; ++ } ++ else if (rule == AUTH_RULE_CA_CERT) ++ { ++ break; ++ } ++ current = issuer; ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + if (trusted) + { + result->merge(result, auth, FALSE); diff --git a/fix-use-of-uninitialized-value.patch b/fix-use-of-uninitialized-value.patch deleted file mode 100644 index bbd05b2ad75742f048f16743097f3549f97f7f25..0000000000000000000000000000000000000000 --- a/fix-use-of-uninitialized-value.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 25fb99653f3f7c7ba5279beb00379089987cca50 Mon Sep 17 00:00:00 2001 -From: caodongxia <315816521@qq.com> -Date: Wed, 1 Sep 2021 15:13:18 +0800 -Subject: [PATCH] fix use of uninitialized value - ---- - src/libstrongswan/bio/bio_reader.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libstrongswan/bio/bio_reader.c b/src/libstrongswan/bio/bio_reader.c -index e6b459b..2ae629e 100644 ---- a/src/libstrongswan/bio/bio_reader.c -+++ b/src/libstrongswan/bio/bio_reader.c -@@ -122,7 +122,7 @@ static bool read_uint16_internal(private_bio_reader_t *this, uint16_t *res, - static bool read_uint24_internal(private_bio_reader_t *this, uint32_t *res, - bool from_end) - { -- uint32_t tmp; -+ uint32_t tmp = 0; - - if (this->buf.len < 3) - { --- -2.27.0 - diff --git a/strongswan-multiple-definition.patch b/strongswan-multiple-definition.patch deleted file mode 100644 index 1a11719daba96ccbdae7b45d083eabe47a8c7b67..0000000000000000000000000000000000000000 --- a/strongswan-multiple-definition.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- ./src/swanctl/swanctl.h.xiugai 2021-08-03 19:08:13.634660548 +0800 -+++ ./src/swanctl/swanctl.h 2021-08-03 19:08:30.770825041 +0800 -@@ -30,7 +30,7 @@ - /** - * Base directory for credentials and config - */ --char *swanctl_dir; -+extern char *swanctl_dir; - - /** - * Configuration file for connections, etc. diff --git a/strongswan.spec b/strongswan.spec index e448e2a055153fd9738952ac1b8dc05836201140..0106d32b7d9854295e80fc5f9f1b581e095399c1 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,65 +1,43 @@ Name: strongswan Version: 5.7.2 -Release: 11 +Release: 9 Summary: An OpenSource IPsec-based VPN and TNC solution License: GPLv2+ URL: http://www.strongswan.org/ Source0: http://download.strongswan.org/strongswan-%{version}.tar.bz2 -Patch0: strongswan-multiple-definition.patch -Patch1: fix-use-of-uninitialized-value.patch -Patch2: CVE-2021-41990.patch -Patch3: CVE-2021-41991.patch -Patch4: CVE-2021-45079.patch - +Patch0: CVE-2021-41990.patch +Patch1: CVE-2021-41991.patch +Patch2: CVE-2021-45079.patch +Patch3: CVE-2022-40617.patch BuildRequires: gcc systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel BuildRequires: openssl-devel sqlite-devel gettext-devel trousers-devel libxml2-devel pam-devel -BuildRequires: json-c-devel libgcrypt-devel systemd-devel iptables-devel chrpath +BuildRequires: json-c-devel libgcrypt-devel systemd-devel iptables-devel Requires(post): systemd Requires(preun): systemd Requires(postun): systemd +Provides: strongswan-libipsec = %{version}-%{release} +Provides: strongswan-charon-nm = %{version}-%{release} +Provides: strongswan-sqlite = %{version}-%{release} +Provides: strongswan-tnc-imcvs = %{version}-%{release} +Provides: strongswan-libipsec%{?_isa} = %{version}-%{release} +Provides: strongswan-charon-nm%{?_isa} = %{version}-%{release} +Provides: strongswan-sqlite%{?_isa} = %{version}-%{release} +Provides: strongswan-tnc-imcvs%{?_isa} = %{version}-%{release} +Obsoletes: strongswan-libipsec < %{version}-%{release} +Obsoletes: strongswan-charon-nm < %{version}-%{release} +Obsoletes: strongswan-sqlite < %{version}-%{release} +Obsoletes: strongswan-tnc-imcvs < %{version}-%{release} +Obsoletes: %{name}-NetworkManager < 0:5.0.4-5 +Conflicts: %{name}-NetworkManager < 0:5.0.4-5 +Conflicts: NetworkManager-strongswan < 1.4.2-1 %description The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. -%package libipsec -Summary: Strongswan's libipsec backend -%description libipsec -The kernel-libipsec plugin provides an IPsec backend that works entirely in userland, using TUN devices and its own IPsec implementation libipsec. - -%package charon-nm -Summary:NetworkManager plugin for Strongswan -Requires:dbus -Obsoletes: %{name}-NetworkManager < 0:5.0.4-5 -Conflicts: %{name}-NetworkManager < 0:5.0.4-5 -Conflicts: NetworkManager-strongswan < 1.4.2-1 - -%description charon-nm -NetworkManager plugin integrates a subset of Strongswan capabilities to NetworkManager. - -%package sqlite -Summary: SQLite support for strongSwan -Requires: %{name} = %{version}-%{release} - -%description sqlite -The sqlite plugin adds an SQLite database backend to strongSwan. - -%package tnc-imcvs -Summary: Trusted network connect (TNC)'s IMC/IMV functionality -Requires: %{name} = %{version}-%{release} -Requires: %{name}-sqlite = %{version}-%{release} - -%description tnc-imcvs -This package provides Trusted Network Connect's (TNC) architec ture support. -It includes support for TNC client and server (IF-TNCCS), IMC and IMV message -exchange (IF-M), interface between IMC/IMV and TNC client/server (IF-IMC -and IF-IMV). It also includes PTS based IMC/IMV for TPM based remote -attestation, SWID IMC/IMV, and OS IMC/IMV. It's IMC/IMV dynamic libraries -modules can be used by any third party TNC Client/Server imple mentation -possessing a standard IF-IMC/IMV interface. In addition, it im plements -PT-TLS to support TNC over TLS. +%package_help %prep %autosetup -n %{name}-%{version} -p1 @@ -111,102 +89,57 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/{aacerts acerts %delete_la -cd $RPM_BUILD_ROOT/usr -file `find -type f` | grep -w ELF | awk -F":" '{print $1}' | for i in `xargs` -do -chrpath -d $i -done -cd - -mkdir -p %{buildroot}/etc/ld.so.conf.d -echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf - %preun %systemd_preun strongswan.service %post -/sbin/ldconfig %systemd_post strongswan.service %postun -/sbin/ldconfig %systemd_postun_with_restart strongswan.service %files -%doc README NEWS TODO ChangeLog +%defattr(-,root,root) +%doc README ChangeLog TODO NEWS %license COPYING %dir %attr(0700,root,root) %{_sysconfdir}/strongswan %config(noreplace) %{_sysconfdir}/strongswan/* %dir %{_libdir}/strongswan -%exclude %{_libdir}/strongswan/imcvs %dir %{_libdir}/strongswan/plugins +%dir %{_libdir}/strongswan/imcvs %dir %{_libexecdir}/strongswan -%{_unitdir}/strongswan.service -%{_unitdir}/strongswan-swanctl.service -%{_sbindir}/charon-cmd -%{_sbindir}/charon-systemd -%{_sbindir}/strongswan -%{_sbindir}/swanctl +%{_unitdir}/*.service +%{_sbindir}/* %{_libdir}/strongswan/*.so.* -%exclude %{_libdir}/strongswan/libimcv.so.* -%exclude %{_libdir}/strongswan/libtnccs.so.* -%exclude %{_libdir}/strongswan/libipsec.so.* %{_libdir}/strongswan/plugins/*.so -%exclude %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so -%exclude %{_libdir}/strongswan/plugins/libstrongswan-*tnc*.so -%exclude %{_libdir}/strongswan/plugins/libstrongswan-kernel-libipsec.so +%{_libdir}/strongswan/imcvs/*.so %{_libexecdir}/strongswan/* -%exclude %{_libexecdir}/strongswan/attest -%exclude %{_libexecdir}/strongswan/pt-tls-client -%exclude %{_libexecdir}/strongswan/charon-nm -%exclude %dir %{_datadir}/strongswan/swidtag -%{_mandir}/man?/*.gz %{_datadir}/strongswan/templates/config/ %{_datadir}/strongswan/templates/database/ -%config(noreplace) /etc/ld.so.conf.d/* - -%files sqlite -%{_libdir}/strongswan/plugins/libstrongswan-sqlite.so - -%files tnc-imcvs -%{_sbindir}/sw-collector -%{_sbindir}/sec-updater -%dir %{_libdir}/strongswan/imcvs -%dir %{_libdir}/strongswan/plugins -%{_libdir}/strongswan/libimcv.so.* -%{_libdir}/strongswan/libtnccs.so.* -%{_libdir}/strongswan/plugins/libstrongswan-*tnc*.so -%{_libexecdir}/strongswan/attest -%{_libexecdir}/strongswan/pt-tls-client %dir %{_datadir}/strongswan/swidtag %{_datadir}/strongswan/swidtag/*.swidtag - -%files libipsec -%{_libdir}/strongswan/libipsec.so.* -%{_libdir}/strongswan/plugins/libstrongswan-kernel-libipsec.so - -%files charon-nm -%doc COPYING %{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf -%{_libexecdir}/strongswan/charon-nm + +%files help +%{_mandir}/man1/*1.gz +%{_mandir}/man5/*5.gz +%{_mandir}/man8/*8.gz %changelog -* Tue Feb 08 2022 wangkai - 5.7.2-11 +* Tue Nov 01 2022 liyuxiang - 5.7.2-9 +- Fix CVE-2022-40617 + +* Tue Feb 08 2022 wangkai - 5.7.2-8 - fix CVE-2021-45079 -* Mon Oct 25 2021 wangkai - 5.7.2-10 +* Mon Oct 25 2021 wangkai - 5.7.2-7 - fix CVE-2021-40990 CVE-2021-40991 -* Thu Sep 09 2021 caodongxia - 5.7.2-9 -- fix rpath error - -* Wed Sep 1 2021 caodongxia - 5.7.2-8 -- fix fuzz: use of uninitialized value - -* Mon Aug 4 2021 shdluan - 5.7.2-7 -- fix multiple defination of variable - -* Sat Jul 18 2020 yaokai13 - 5.7.2-6 -- Unpack the merged package to fix the issue #l1N2UN +* Fri Aug 21 2020 gaihuiying - 5.7.2-6 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:release +1 for rebuild * Thu May 28 2020 Senlin Xia - 5.7.2-5 - prefix man pages