Accepting request 344762 from network:vpn

- Applied upstream fix for a authentication bypass vulnerability
  in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
  [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]

OBS-URL: https://build.opensuse.org/request/show/344762
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=62
This commit is contained in:
Dominique Leuenberger 2015-11-17 13:23:11 +00:00 committed by Git OBS Bridge
commit f3a0b7cca7
3 changed files with 44 additions and 0 deletions

View File

@ -0,0 +1,35 @@
From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 29 Oct 2015 11:18:27 +0100
References: CVE-2015-8023, bsc#953817
Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
established
An MSK is only established if the client successfully authenticated
itself and only then must we accept an MSCHAPV2_SUCCESS message.
Fixes CVE-2015-8023
---
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index f7f39f9841d2..931e3c41dde4 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
}
case MSCHAPV2_SUCCESS:
{
- return SUCCESS;
+ if (this->msk.ptr)
+ {
+ return SUCCESS;
+ }
+ break;
}
case MSCHAPV2_FAILURE:
{
--
1.9.1

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de
- Applied upstream fix for a authentication bypass vulnerability
in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
[+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
-------------------------------------------------------------------
Thu Jun 4 10:54:29 UTC 2015 - mt@suse.de

View File

@ -84,6 +84,7 @@ Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@ -296,6 +297,7 @@ and the load testing plugin for IKEv2 daemon.
%endif
%patch5 -p1
%patch6 -p1
%patch7 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init