1
0
forked from pool/strongswan

- Update to release 5.9.10

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=144
This commit is contained in:
Jan Engelhardt 2023-03-02 13:42:24 +00:00 committed by Git OBS Bridge
parent e8a63e6496
commit 016cf7b1e8
7 changed files with 39 additions and 71 deletions

View File

@ -1,51 +0,0 @@
From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 17 Feb 2023 15:07:20 +0100
Reference: boo#1208608
Upstream: yes
Affected: 5.9.8, 5.9.9
Subject: [PATCH] libtls: Fix authentication bypass and expired pointer
dereference
`public` is returned, but previously only if a trusted key was found.
We obviously don't want to return untrusted keys. However, since the
reference is released after determining the key type, the returned
object also doesn't have the correct refcount.
So when the returned reference is released after verifying the TLS
signature, the public key object is actually destroyed. The certificate
object then points to an expired pointer, which is dereferenced once it
itself is destroyed after the authentication is complete. Depending on
whether the pointer is valid (i.e. points to memory allocated to the
process) and what was allocated there after the public key was freed,
this could result in a segmentation fault or even code execution.
Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type")
Fixes: CVE-2023-26463
---
src/libtls/tls_server.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index c9c300917dd6..573893f2efb5 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id)
cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
if (cert)
{
- public = cert->get_public_key(cert);
- if (public)
+ current = cert->get_public_key(cert);
+ if (current)
{
- key_type = public->get_type(public);
- public->destroy(public);
+ key_type = current->get_type(current);
+ current->destroy(current);
}
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
key_type, id, peer_auth, TRUE);
--
2.25.1

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3b72789e243c9fa6f0a01ccaf4f83766eba96a5e5b1e071d36e997572cf34654
size 4765407

View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmQAZmIACgkQ30LBcLNN
uncmawv8DgoR/EdXdzvqzToiDYREwU5CfIYAPCYmUfw7tdwTZsiN9rdt13lI8+ei
8IqYIrtGvKVtiV3qwNaxxD/spQ+b/jbOk+ifzCQzylD5gv9fFyyKjiYIiLmK3qhr
7sc+tN90HY443qN4JV1rwHP4jN57pmNZ2qg2CbzU/zpePUHj5MlM3kgGd5bO5Q6L
MWmstO/RcjIIsZusqscrOGsaZrkULTeLyrOTLoJcM06b0F4vzeDwhLJjVoqYFVt5
dPXLXygUfVUr+aAvCfNA03zokt6Ok9aSOBZZ8+nMPLU6wmWjjIdOf0/H9JG3/v6F
SGHVxlB4Z7sCkDzvmB/vmYquGw+gx+0Fx28eEV4E7TnrJrdlqC5n8wrPO9iFQ36y
QEua+S/q7qHSUBr01DW35e70oiJmbOqSH+poPVz2Qwk3ZVgcqIxCUpz6aWPjAicL
7VMYBssX6R5cCD3nIuHSe1+Iyx/AuFP7nuPHQrkIAKsDMVZR8GClNz+M8ZM7Cbar
a6YUUR/D
=FN1F
-----END PGP SIGNATURE-----

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5e16580998834658c17cebfb31dd637e728669cf2fdd325460234a4643b8d81d
size 4764675

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmOxaKcACgkQ30LBcLNN
uneBbgv8DTvNTm48iRhC2MisT87T5oHtMtq3iCFuhXxP2X1t53e8E4eLFx837hCO
AdTbR6CeQRyEjW+scTmTv1mmY0WGKb6npfwyCxb9qteIu3Sf21MNSqZ1Va7WMh7d
0fm7ezF6dgxkRcmVFF+4jwwsMTx6u54I9QSsdcJ1b1u4FWThOLtCrBA7qMnxGaGN
9whbBJB8DIZhXYF9BDRftLZ1rXoERAmXxXxt/a+vhikv0Sw/NlZTJaHsf4l/8w+p
yWkdXm5WUo95Ilv+cboVHcqx8StTU+xSbyrZxQul3B8zG5fc7yyA3H8dR8K1fBbi
CiBOPnQHL1m8iDSbmV7Nm6xalKwZXffLaLwnBcqfSX0JC7ZRnDfjOT/mTdPhpkoH
JzEEDFl3iEAJGbvb5Bvyn4Q98gZOzWWsxtxWpHUzoPjVd/HFx4w95Wcod/+4JhVE
wfHIOzALmFk7LWzCpiN4heW103ilGCJ3/n2OVn4j+3maZ01tK8hNIxWNTKYYhpbI
eBmb+TNc
=gp/t
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Thu Mar 2 13:34:37 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
- Update to release 5.9.10
* Fixed a vulnerability related to certificate verification in
TLS-based EAP methods that leads to an authentication bypass
followed by an expired pointer dereference that results in a
denial of service but possibly even remote code execution.
[CVE-2023-26463]
* Added support for full packet hardware offload for IPsec SAs
and policies, which has been introduced with the Linux 6.2
kernel, to the kernel-netlink plugin. Bypass policies for the
IKE ports are automatically offloaded to devices that support
this type of offloading.
* TLS-based EAP methods use the key derivation specified in
draft-ietf-emu-tls-eap-types when used with TLS 1.3.
* Routes via XFRM interfaces can now optionally be installed
automatically by enabling the
charon.plugins.kernel-netlink.install_routes_xfrmi option.
- Remove CVE-2023-26463_tls_auth_bypass_exp_pointer.patch
-------------------------------------------------------------------
Thu Mar 2 12:26:39 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>

View File

@ -17,7 +17,7 @@
Name: strongswan
Version: 5.9.9
Version: 5.9.10
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@ -81,7 +81,6 @@ Patch3: %{name}_fipscheck.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Patch6: harden_strongswan.service.patch
Patch7: CVE-2023-26463_tls_auth_bypass_exp_pointer.patch
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
@ -270,7 +269,6 @@ sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
> _fipscheck
%endif
%patch6 -p1
%patch7 -p1
%build
CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"