From 06bfaa526e13b4535a25872dcd2b53932ab15122 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Thu, 14 Dec 2023 09:52:24 +0800
Subject: [PATCH] Fix CVE-2023-41913

(cherry picked from commit 268c1f09f9a19335d85cac8401663d4c39ae5bd7)
---
 CVE-2023-41913.patch | 42 ++++++++++++++++++++++++++++++++++++++++++
 strongswan.spec      |  7 ++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-41913.patch

diff --git a/CVE-2023-41913.patch b/CVE-2023-41913.patch
new file mode 100644
index 0000000..8c8af92
--- /dev/null
+++ b/CVE-2023-41913.patch
@@ -0,0 +1,42 @@
+From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 11 Jul 2023 12:12:25 +0200
+Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
+ overflow
+
+Seems this was forgotten in the referenced commit and actually could lead
+to a buffer overflow.  Since charon-tkm is untrusted this isn't that
+much of an issue but could at least be easily exploited for a DoS attack
+as DH public values are set when handling IKE_SA_INIT requests.
+
+Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
+Fixes: CVE-2023-41913
+---
+ src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+index 2b2d103d03e9..6999ad360d7e 100644
+--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
+ 	return TRUE;
+ }
+ 
+-
+ METHOD(key_exchange_t, set_public_key, bool,
+ 	private_tkm_diffie_hellman_t *this, chunk_t value)
+ {
+ 	dh_pubvalue_type othervalue;
++
++	if (!key_exchange_verify_pubkey(this->group, value) ||
++		value.len > sizeof(othervalue.data))
++	{
++		return FALSE;
++	}
+ 	othervalue.size = value.len;
+ 	memcpy(&othervalue.data, value.ptr, value.len);
+ 
+-- 
+2.34.1
+
diff --git a/strongswan.spec b/strongswan.spec
index 5f3f29a..5b24eba 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,6 +1,6 @@
 Name:             strongswan
 Version:          5.9.7
-Release:          4
+Release:          5
 Summary:          An OpenSource IPsec-based VPN and TNC solution
 License:          GPLv2+
 URL:              http://www.strongswan.org/
@@ -8,6 +8,8 @@ Source0:          http://download.strongswan.org/strongswan-%{version}.tar.bz2
 
 Patch0:           remove-warning-no-format.patch
 Patch1:           CVE-2022-40617.patch
+# https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch
+Patch2:           CVE-2023-41913.patch
 
 BuildRequires:    gcc chrpath autoconf automake libtool tpm2-abrmd
 BuildRequires:    systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel
@@ -193,6 +195,9 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co
 %{_libexecdir}/strongswan/charon-nm
 
 %changelog
+* Thu Dec 14 2023 yaoxin <yao_xin001@hoperun.com> - 5.9.7-5
+- Fix CVE-2023-41913
+
 * Fri May 19 2023 wangkai <13474090681@163.com> - 5.9.7-4
 - Fix /usr/sbin/ipsec conflicts with libreswan
 
-- 
Gitee