diff --git a/CVE-2023-41913.patch b/CVE-2023-41913.patch new file mode 100644 index 0000000000000000000000000000000000000000..93ff798ce7f25fde05d88c0dd4ddb739fbb06992 --- /dev/null +++ b/CVE-2023-41913.patch @@ -0,0 +1,42 @@ +From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 11 Jul 2023 12:12:25 +0200 +Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer + overflow + +Seems this was forgotten in the referenced commit and actually could lead +to a buffer overflow. Since charon-tkm is untrusted this isn't that +much of an issue but could at least be easily exploited for a DoS attack +as DH public values are set when handling IKE_SA_INIT requests. + +Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") +Fixes: CVE-2023-41913 +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 2b2d103d03e9..6999ad360d7e 100644 +--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, + return TRUE; + } + +- + METHOD(diffie_hellman_t, set_other_public_value, bool, + private_tkm_diffie_hellman_t *this, chunk_t value) + { + dh_pubvalue_type othervalue; ++ ++ if (!key_exchange_verify_pubkey(this->group, value) || ++ value.len > sizeof(othervalue.data)) ++ { ++ return FALSE; ++ } + othervalue.size = value.len; + memcpy(&othervalue.data, value.ptr, value.len); + +-- +2.34.1 + diff --git a/add-missing-extern-for-swanctl_dir-variable-in-header.patch b/add-missing-extern-for-swanctl_dir-variable-in-header.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea1ef1403ace7dcea8760f33a9d814dc1d82fae0 --- /dev/null +++ b/add-missing-extern-for-swanctl_dir-variable-in-header.patch @@ -0,0 +1,13 @@ +diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h +index f0c334f..70f70d1 100644 +--- a/src/swanctl/swanctl.h ++++ b/src/swanctl/swanctl.h +@@ -30,7 +30,7 @@ + /** + * Base directory for credentials and config + */ +-char *swanctl_dir; ++extern char *swanctl_dir; + + /** + * Configuration file for connections, etc. diff --git a/strongswan.spec b/strongswan.spec index 0106d32b7d9854295e80fc5f9f1b581e095399c1..e85308949e4f174ec91b09c7f785614256c1a1d2 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,6 +1,6 @@ Name: strongswan Version: 5.7.2 -Release: 9 +Release: 11 Summary: An OpenSource IPsec-based VPN and TNC solution License: GPLv2+ URL: http://www.strongswan.org/ @@ -8,8 +8,12 @@ Source0: http://download.strongswan.org/strongswan-%{version}.tar.bz2 Patch0: CVE-2021-41990.patch Patch1: CVE-2021-41991.patch -Patch2: CVE-2021-45079.patch -Patch3: CVE-2022-40617.patch +Patch2: add-missing-extern-for-swanctl_dir-variable-in-header.patch +Patch3: CVE-2021-45079.patch +Patch4: CVE-2022-40617.patch +# https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch +Patch5: CVE-2023-41913.patch + BuildRequires: gcc systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel BuildRequires: openssl-devel sqlite-devel gettext-devel trousers-devel libxml2-devel pam-devel @@ -126,12 +130,18 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/{aacerts acerts %{_mandir}/man8/*8.gz %changelog -* Tue Nov 01 2022 liyuxiang - 5.7.2-9 -- Fix CVE-2022-40617 +* Thu Dec 14 2023 yaoxin - 5.7.2-11 +- Fix CVE-2023-41913 + +* Tue Nov 01 2022 liyuxiang - 5.7.2-10 +- fix CVE-2022-40617 -* Tue Feb 08 2022 wangkai - 5.7.2-8 +* Tue Feb 08 2022 wangkai - 5.7.2-9 - fix CVE-2021-45079 +* Wed Dec 22 2021 zhangjiapeng - 5.7.2-8 +- add missing extern for swanctl_dir variable in header + * Mon Oct 25 2021 wangkai - 5.7.2-7 - fix CVE-2021-40990 CVE-2021-40991