Accepting request 1068689 from home:msaquib:branches:network:vpn

- Fixed a vulnerability in incorrectly accepted untrusted public key
  with incorrect refcount (CVE-2023-26463 boo#1208608).

OBS-URL: https://build.opensuse.org/request/show/1068689
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=142

CVE-2023-26463_tls_auth_bypass_exp_pointer.patch

@@ -0,0 +1,51 @@
+From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Feb 2023 15:07:20 +0100
+Reference: boo#1208608
+Upstream: yes
+Affected: 5.9.8, 5.9.9
+Subject: [PATCH] libtls: Fix authentication bypass and expired pointer
+ dereference
+
+`public` is returned, but previously only if a trusted key was found.
+We obviously don't want to return untrusted keys.  However, since the
+reference is released after determining the key type, the returned
+object also doesn't have the correct refcount.
+
+So when the returned reference is released after verifying the TLS
+signature, the public key object is actually destroyed.  The certificate
+object then points to an expired pointer, which is dereferenced once it
+itself is destroyed after the authentication is complete.  Depending on
+whether the pointer is valid (i.e. points to memory allocated to the
+process) and what was allocated there after the public key was freed,
+this could result in a segmentation fault or even code execution.
+
+Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type")
+Fixes: CVE-2023-26463
+---
+ src/libtls/tls_server.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
+index c9c300917dd6..573893f2efb5 100644
+--- a/src/libtls/tls_server.c
++++ b/src/libtls/tls_server.c
+@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id)
+ 	cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
+ 	if (cert)
+ 	{
+-		public = cert->get_public_key(cert);
+-		if (public)
++		current = cert->get_public_key(cert);
++		if (current)
+ 		{
+-			key_type = public->get_type(public);
+-			public->destroy(public);
++			key_type = current->get_type(current);
++			current->destroy(current);
+ 		}
+ 		enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+ 											key_type, id, peer_auth, TRUE);
+-- 
+2.25.1
+

strongswan.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Mar  2 12:26:39 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
+
+- Fixed a vulnerability in incorrectly accepted untrusted public key
+  with incorrect refcount (CVE-2023-26463 boo#1208608). 
+
 -------------------------------------------------------------------
 Tue Jan  3 13:22:12 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
 

strongswan.spec

@@ -81,6 +81,7 @@ Patch3:         %{name}_fipscheck.patch
 %endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
 Patch6:         harden_strongswan.service.patch
+Patch7:         CVE-2023-26463_tls_auth_bypass_exp_pointer.patch
 BuildRequires:  bison
 BuildRequires:  curl-devel
 BuildRequires:  flex
@@ -269,6 +270,7 @@ sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
      > _fipscheck
 %endif
 %patch6 -p1
+%patch7 -p1
 
 %build
 CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"