diff --git a/0006-fix-compilation-error-by-adding-stdint.h.patch b/0006-fix-compilation-error-by-adding-stdint.h.patch new file mode 100644 index 0000000..3f33240 --- /dev/null +++ b/0006-fix-compilation-error-by-adding-stdint.h.patch @@ -0,0 +1,33 @@ +From 831a9ea232f128c13c36066a704f6ccafa335244 Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Tue, 5 Sep 2017 11:17:16 +0200 +Subject: [PATCH] fix compilation error by adding stdint.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +error: +utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this function); did you mean ‘__intptr_t’? + for (i = 0; (uintptr_t)&c[i] % sizeof(long) && i < n; i++) + ^~~~~~~~~ + __intptr_t +--- + src/libstrongswan/utils/utils/memory.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h +index b978e7c..55aaaf5 100644 +--- a/src/libstrongswan/utils/utils/memory.h ++++ b/src/libstrongswan/utils/utils/memory.h +@@ -22,6 +22,8 @@ + #ifndef MEMORY_H_ + #define MEMORY_H_ + ++#include ++ + /** + * Helper function that compares two binary blobs for equality + */ +-- +2.14.1 + diff --git a/strongswan-5.5.3.tar.bz2 b/strongswan-5.5.3.tar.bz2 deleted file mode 100644 index e778b5e..0000000 --- a/strongswan-5.5.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c5ea54b199174708de11af9b8f4ecf28b5b0743d4bc0e380e741f25b28c0f8d4 -size 4768820 diff --git a/strongswan-5.5.3.tar.bz2.sig b/strongswan-5.5.3.tar.bz2.sig deleted file mode 100644 index ff05da8..0000000 --- a/strongswan-5.5.3.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJZK+1/AAoJEN9CwXCzTbp3vvAMAJ6SQBu+q41eol6inaXmD1k2 -pwLgBYgMa/TG3dhvX2PxkpypratmYLY96GOy8WFP58/7z2gJL63SjCjN8MaNSZ7V -UemJD5sEqu3lKGhR+q3Vsz/7xTBWYJSNoE1m/AdwftR6oF0CcIQLgrkjQa1OiU71 -SNqb2KFOafsSFicmhW44tdG9YFx56pzuoOgZhfDNEC9kMBKf7/rMpUeqAxsZah1I -fETj26gYKPMZAzFdZJvcVLMT70WaHkDU3Oo3/UfIKrucLm+uvYjcrzQnP00laLvx -LdgjuHXjXixrV92XzWCsa9Bbc39kmz2cBYlm6JPLfyON1x/DtUBdIoRcuO9y8nek -HAiO8rLG0vyQsbhiaW5TJ6wfR/uyNGhKCIyabU90Nmo0dzVMlb5ro/1q0XcQM5Dl -D4+FGErM3UdeDu0gj2klr1TyXwdOF6ZdlOtRBwRVH69mFz7o22Q6eGiw9o3Yf+9b -cJCpzSQXEgZybV8XSYOzGnY9cVeD4Il4FxgYuxViXg== -=9WTk ------END PGP SIGNATURE----- diff --git a/strongswan-5.5.3-rpmlintrc b/strongswan-5.6.0-rpmlintrc similarity index 100% rename from strongswan-5.5.3-rpmlintrc rename to strongswan-5.6.0-rpmlintrc diff --git a/strongswan-5.6.0.tar.bz2 b/strongswan-5.6.0.tar.bz2 new file mode 100644 index 0000000..45047e3 --- /dev/null +++ b/strongswan-5.6.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13 +size 4850722 diff --git a/strongswan-5.6.0.tar.bz2.sig b/strongswan-5.6.0.tar.bz2.sig new file mode 100644 index 0000000..c9ad79b --- /dev/null +++ b/strongswan-5.6.0.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG +kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F +CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da +kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5 +d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M +an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H +dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru +UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ +eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g== +=ZRFr +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index 8634b62..cd88415 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,7 +1,44 @@ +------------------------------------------------------------------- +Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de + +- Updated to strongSwan 5.6.0 providing the following changes: + *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation + when verifying RSA signatures, which requires decryption with the operation m^e mod n, + where m is the signature, and e and n are the exponent and modulus of the public key. + The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this. + So if m equals n the calculation results in 0, in which case mpz_export() returns NULL. + This result wasn't handled properly causing a null-pointer dereference. + This vulnerability has been registered as CVE-2017-11185. (bsc#1051222) + + *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet + Draft and has been demonstrated at the IETF 99 Prague Hackathon. + + *The IMV database template has been adapted to achieve full compliance with the + ISO 19770-2:2015 SWID tag standard. + + *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter. + + *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default + swanctl.conf file. + + *The curl plugin now follows HTTP redirects (configurable via strongswan.conf). + + *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3 + + *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd). + + * more on https://wiki.strongswan.org/versions/66 + +------------------------------------------------------------------- +Tue Sep 5 11:33:01 CEST 2017 - ndas@suse.de + +- fix "uintptr_t’ undeclared" compilation error. + [+0006-fix-compilation-error-by-adding-stdint.h.patch] + ------------------------------------------------------------------- Mon Jul 31 18:30:28 CEST 2017 - ndas@suse.de -- Updated to strongSwan 5.3.5 providing the following changes: +- Updated to strongSwan 5.3.5(bsc#1050691) providing the following changes: *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two requirements regarding the passed exponent and modulus that the plugin did not diff --git a/strongswan.spec b/strongswan.spec index cbe3898..7f8d63a 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.5.3 +Version: 5.6.0 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -83,6 +83,7 @@ Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch +Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -294,6 +295,7 @@ and the load testing plugin for IKEv2 daemon. %patch4 -p1 %endif %patch5 -p1 +%patch6 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -495,9 +497,9 @@ install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \ $RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \ $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \ $RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pt-tls-client \ $RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \ $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \ + $RPM_BUILD_ROOT%{_bindir}/pt-tls-client \ $RPM_BUILD_ROOT%{_sbindir}/ipsec \ ; do @@ -568,6 +570,7 @@ fi %{_libexecdir}/ipsec/_fipscheck %{_libexecdir}/ipsec/.*.hmac %{_sbindir}/.ipsec.hmac +%{_bindir}/.pt-tls-client.hmac %endif %files ipsec @@ -594,9 +597,11 @@ fi %{_sbindir}/rcipsec %endif %{_bindir}/pki +%{_bindir}/pt-tls-client %{_sbindir}/ipsec %{_sbindir}/swanctl %{_mandir}/man1/pki*.1* +%{_mandir}/man1/pt-tls-client.1* %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* @@ -609,7 +614,6 @@ fi %endif %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/pool -%{_libexecdir}/ipsec/pt-tls-client %{_libexecdir}/ipsec/scepclient %{_libexecdir}/ipsec/starter %{_libexecdir}/ipsec/stroke