- Applied upstream fix for a authentication bypass vulnerability

in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817). [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=95
2015-11-16 15:23:01 +00:00 · 2015-11-16 15:23:01 +00:00 · 406171b31d
commit 406171b31d
parent cfde0c0ea7
3 changed files with 44 additions and 0 deletions
--- a/0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
+++ b/0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
@ -0,0 +1,35 @@
+From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 29 Oct 2015 11:18:27 +0100
+References: CVE-2015-8023, bsc#953817
+Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
+ established
+
+An MSK is only established if the client successfully authenticated
+itself and only then must we accept an MSCHAPV2_SUCCESS message.
+
+Fixes CVE-2015-8023
+---
+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+index f7f39f9841d2..931e3c41dde4 100644
+--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
+ 		}
+ 		case MSCHAPV2_SUCCESS:
+ 		{
+-			return SUCCESS;
+			if (this->msk.ptr)
+			{
+				return SUCCESS;
+			}
+			break;
+ 		}
+ 		case MSCHAPV2_FAILURE:
+ 		{
+-- 
+1.9.1
+
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de
+
+- Applied upstream fix for a authentication bypass vulnerability
+  in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
+  [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
+
 -------------------------------------------------------------------
 Thu Jun  4 10:54:29 UTC 2015 - mt@suse.de

--- a/strongswan.spec
+++ b/strongswan.spec
@ -84,6 +84,7 @@ Patch4:         %{name}_fipsfilter.patch
 %endif
 Patch5:         0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
 Patch6:         0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
+Patch7:         0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@ -296,6 +297,7 @@ and the load testing plugin for IKEv2 daemon.
 %endif
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
     < $RPM_SOURCE_DIR/strongswan.init.in \
     > strongswan.init