diff --git a/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch b/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch new file mode 100644 index 0000000000000000000000000000000000000000..c998e365546ce5d7ad1aa128278c0ed0e9a91f9d --- /dev/null +++ b/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch @@ -0,0 +1,44 @@ +From dda24815d148b91209ebf2d27e3a7acefe9b6435 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 9 Oct 2025 11:33:45 +0200 +Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on + the client + +For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes +`message_len` to become negative, which is then used in calls to malloc() +and memcpy() that both take size_t arguments, causing an integer +underflow. + +For 6 and 7, the huge size requested from malloc() will fail (it exceeds +PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation +fault in memcpy(). + +However, for 8, the allocation is 0, which succeeds. But then the -1 +passed to memcpy() causes a heap-based buffer overflow (and possibly a +segmentation fault when attempting to read/write that much data). +Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g. +Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer +overflow and causes the daemon to get aborted immediately instead. + +Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2") +Fixes: CVE-2025-62291 +--- + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +index 21cc95a6a360..35faad2e0bb5 100644 +--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c ++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, + data = in->get_data(in); + eap = (eap_mschapv2_header_t*)data.ptr; + +- if (data.len < 3) /* we want at least an error code: E=e */ ++ if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */ + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; +-- +2.43.0 + diff --git a/strongswan.spec b/strongswan.spec index e85308949e4f174ec91b09c7f785614256c1a1d2..8946296a12f3dcc2f5c328cdf5dda9e9266115a2 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,10 +1,10 @@ Name: strongswan Version: 5.7.2 -Release: 11 +Release: 12 Summary: An OpenSource IPsec-based VPN and TNC solution -License: GPLv2+ -URL: http://www.strongswan.org/ -Source0: http://download.strongswan.org/strongswan-%{version}.tar.bz2 +License: GPL-2.0-or-later +URL: https://www.strongswan.org/ +Source0: https://download.strongswan.org/old/5.x/strongswan-%{version}.tar.bz2 Patch0: CVE-2021-41990.patch Patch1: CVE-2021-41991.patch @@ -13,6 +13,8 @@ Patch3: CVE-2021-45079.patch Patch4: CVE-2022-40617.patch # https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch Patch5: CVE-2023-41913.patch +# https://download.strongswan.org/security/CVE-2025-62291/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch +Patch6: strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch BuildRequires: gcc systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel @@ -130,6 +132,9 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/{aacerts acerts %{_mandir}/man8/*8.gz %changelog +* Sat Nov 08 2025 Funda Wang - 5.7.2-12 +- fix CVE-2025-62291 + * Thu Dec 14 2023 yaoxin - 5.7.2-11 - Fix CVE-2023-41913