diff --git a/CVE-2023-26463_tls_auth_bypass_exp_pointer.patch b/CVE-2023-26463_tls_auth_bypass_exp_pointer.patch new file mode 100644 index 0000000..6a610bc --- /dev/null +++ b/CVE-2023-26463_tls_auth_bypass_exp_pointer.patch @@ -0,0 +1,51 @@ +From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 17 Feb 2023 15:07:20 +0100 +Reference: boo#1208608 +Upstream: yes +Affected: 5.9.8, 5.9.9 +Subject: [PATCH] libtls: Fix authentication bypass and expired pointer + dereference + +`public` is returned, but previously only if a trusted key was found. +We obviously don't want to return untrusted keys. However, since the +reference is released after determining the key type, the returned +object also doesn't have the correct refcount. + +So when the returned reference is released after verifying the TLS +signature, the public key object is actually destroyed. The certificate +object then points to an expired pointer, which is dereferenced once it +itself is destroyed after the authentication is complete. Depending on +whether the pointer is valid (i.e. points to memory allocated to the +process) and what was allocated there after the public key was freed, +this could result in a segmentation fault or even code execution. + +Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type") +Fixes: CVE-2023-26463 +--- + src/libtls/tls_server.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c +index c9c300917dd6..573893f2efb5 100644 +--- a/src/libtls/tls_server.c ++++ b/src/libtls/tls_server.c +@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id) + cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); + if (cert) + { +- public = cert->get_public_key(cert); +- if (public) ++ current = cert->get_public_key(cert); ++ if (current) + { +- key_type = public->get_type(public); +- public->destroy(public); ++ key_type = current->get_type(current); ++ current->destroy(current); + } + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + key_type, id, peer_auth, TRUE); +-- +2.25.1 + diff --git a/strongswan.changes b/strongswan.changes index 86fd774..b3d3041 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Mar 2 12:26:39 UTC 2023 - Mohd Saquib + +- Fixed a vulnerability in incorrectly accepted untrusted public key + with incorrect refcount (CVE-2023-26463 boo#1208608). + ------------------------------------------------------------------- Tue Jan 3 13:22:12 UTC 2023 - Jan Engelhardt diff --git a/strongswan.spec b/strongswan.spec index eba5327..b08753d 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -81,6 +81,7 @@ Patch3: %{name}_fipscheck.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch Patch6: harden_strongswan.service.patch +Patch7: CVE-2023-26463_tls_auth_bypass_exp_pointer.patch BuildRequires: bison BuildRequires: curl-devel BuildRequires: flex @@ -269,6 +270,7 @@ sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \ > _fipscheck %endif %patch6 -p1 +%patch7 -p1 %build CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"