packages/strongswan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-41913

Browse Source 
(cherry picked from commit 95eb2fb45f791ae984e6604e2894ec8f44e4815d)
This commit is contained in:
starlet-dx 2023-12-14 10:12:45 +08:00 committed by openeuler-sync-bot
parent 9436b40f7a
commit 7193134191
2 changed files with 49 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
CVE-2023-41913.patch Normal file
View File

@ -0,0 +1,42 @@
From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 11 Jul 2023 12:12:25 +0200
Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
overflow
Seems this was forgotten in the referenced commit and actually could lead
to a buffer overflow. Since charon-tkm is untrusted this isn't that
much of an issue but could at least be easily exploited for a DoS attack
as DH public values are set when handling IKE_SA_INIT requests.
Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
Fixes: CVE-2023-41913
---
src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 2b2d103d03e9..6999ad360d7e 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
return TRUE;
}
-
METHOD(diffie_hellman_t, set_other_public_value, bool,
private_tkm_diffie_hellman_t *this, chunk_t value)
{
dh_pubvalue_type othervalue;
+
+ if (!key_exchange_verify_pubkey(this->group, value) ||
+ value.len > sizeof(othervalue.data))
+ {
+ return FALSE;
+ }
othervalue.size = value.len;
memcpy(&othervalue.data, value.ptr, value.len);
--
2.34.1

9
strongswan.spec
View File

@ -1,6 +1,6 @@
Name: strongswan Name: strongswan
Version: 5.7.2 Version: 5.7.2
Release: 10 Release: 11
Summary: An OpenSource IPsec-based VPN and TNC solution Summary: An OpenSource IPsec-based VPN and TNC solution
License: GPLv2+ License: GPLv2+
URL: http://www.strongswan.org/ URL: http://www.strongswan.org/
@ -10,7 +10,9 @@ Patch0: CVE-2021-41990.patch
Patch1: CVE-2021-41991.patch Patch1: CVE-2021-41991.patch
Patch2: add-missing-extern-for-swanctl_dir-variable-in-header.patch Patch2: add-missing-extern-for-swanctl_dir-variable-in-header.patch
Patch3: CVE-2021-45079.patch Patch3: CVE-2021-45079.patch
Patch4: CVE-2022-40617.patch Patch4: CVE-2022-40617.patch
# https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch
Patch5: CVE-2023-41913.patch
BuildRequires: gcc systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel BuildRequires: gcc systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel
@ -128,6 +130,9 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/{aacerts acerts
%{_mandir}/man8/*8.gz %{_mandir}/man8/*8.gz
%changelog %changelog
* Thu Dec 14 2023 yaoxin <yao_xin001@hoperun.com> - 5.7.2-11
- Fix CVE-2023-41913
* Tue Nov 01 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 5.7.2-10 * Tue Nov 01 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 5.7.2-10
- fix CVE-2022-40617 - fix CVE-2022-40617