diff --git a/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch b/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch new file mode 100644 index 0000000000000000000000000000000000000000..c998e365546ce5d7ad1aa128278c0ed0e9a91f9d --- /dev/null +++ b/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch @@ -0,0 +1,44 @@ +From dda24815d148b91209ebf2d27e3a7acefe9b6435 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 9 Oct 2025 11:33:45 +0200 +Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on + the client + +For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes +`message_len` to become negative, which is then used in calls to malloc() +and memcpy() that both take size_t arguments, causing an integer +underflow. + +For 6 and 7, the huge size requested from malloc() will fail (it exceeds +PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation +fault in memcpy(). + +However, for 8, the allocation is 0, which succeeds. But then the -1 +passed to memcpy() causes a heap-based buffer overflow (and possibly a +segmentation fault when attempting to read/write that much data). +Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g. +Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer +overflow and causes the daemon to get aborted immediately instead. + +Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2") +Fixes: CVE-2025-62291 +--- + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +index 21cc95a6a360..35faad2e0bb5 100644 +--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c ++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, + data = in->get_data(in); + eap = (eap_mschapv2_header_t*)data.ptr; + +- if (data.len < 3) /* we want at least an error code: E=e */ ++ if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */ + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; +-- +2.43.0 + diff --git a/strongswan.spec b/strongswan.spec index 841622897c69d5d528426d0d609139ecc3399647..4ae8bc19571ffc460b3db7c6db0b81a2c44d2d56 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,15 +1,17 @@ Name: strongswan Version: 5.9.10 -Release: 5 +Release: 6 Summary: An OpenSource IPsec-based VPN and TNC solution -License: GPLv2+ -URL: http://www.strongswan.org/ -Source0: http://download.strongswan.org/strongswan-%{version}.tar.bz2 +License: GPL-2.0-or-later +URL: https://www.strongswan.org/ +Source0: https://download.strongswan.org/old/5.x/strongswan-%{version}.tar.bz2 Patch0: remove-warning-no-format.patch Patch1: aes-crypter-support-sw64-arch.patch # https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch Patch2: CVE-2023-41913.patch +# https://download.strongswan.org/security/CVE-2025-62291/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch +Patch3: strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch BuildRequires: gcc chrpath autoconf automake libtool tpm2-abrmd BuildRequires: systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel @@ -190,13 +192,16 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co %{_libdir}/strongswan/plugins/libstrongswan-kernel-libipsec.so %files charon-nm -%doc COPYING +%license COPYING %{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf %{_libexecdir}/strongswan/charon-nm %changelog +* Sat Nov 08 2025 Funda Wang - 5.9.10-6 +- fix CVE-2025-62291 + * Thu Oct 29 2024 Wang Jinchao - 5.9.10-5 -- Fix bogus date in %changelog +- Fix bogus date in changelog * Thu Dec 14 2023 yaoxin - 5.9.10-4 - Fix CVE-2023-41913