- Update to release 5.9.10

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=144

CVE-2023-26463_tls_auth_bypass_exp_pointer.patch

@@ -1,51 +0,0 @@
-From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Fri, 17 Feb 2023 15:07:20 +0100
-Reference: boo#1208608
-Upstream: yes
-Affected: 5.9.8, 5.9.9
-Subject: [PATCH] libtls: Fix authentication bypass and expired pointer
- dereference
-
-`public` is returned, but previously only if a trusted key was found.
-We obviously don't want to return untrusted keys.  However, since the
-reference is released after determining the key type, the returned
-object also doesn't have the correct refcount.
-
-So when the returned reference is released after verifying the TLS
-signature, the public key object is actually destroyed.  The certificate
-object then points to an expired pointer, which is dereferenced once it
-itself is destroyed after the authentication is complete.  Depending on
-whether the pointer is valid (i.e. points to memory allocated to the
-process) and what was allocated there after the public key was freed,
-this could result in a segmentation fault or even code execution.
-
-Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type")
-Fixes: CVE-2023-26463
----
- src/libtls/tls_server.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
-index c9c300917dd6..573893f2efb5 100644
---- a/src/libtls/tls_server.c
-+++ b/src/libtls/tls_server.c
-@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id)
- 	cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
- 	if (cert)
- 	{
--		public = cert->get_public_key(cert);
--		if (public)
-+		current = cert->get_public_key(cert);
-+		if (current)
- 		{
--			key_type = public->get_type(public);
--			public->destroy(public);
-+			key_type = current->get_type(current);
-+			current->destroy(current);
- 		}
- 		enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
- 											key_type, id, peer_auth, TRUE);
--- 
-2.25.1
-

strongswan-5.9.10.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3b72789e243c9fa6f0a01ccaf4f83766eba96a5e5b1e071d36e997572cf34654
+size 4765407

strongswan-5.9.10.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmQAZmIACgkQ30LBcLNN
+uncmawv8DgoR/EdXdzvqzToiDYREwU5CfIYAPCYmUfw7tdwTZsiN9rdt13lI8+ei
+8IqYIrtGvKVtiV3qwNaxxD/spQ+b/jbOk+ifzCQzylD5gv9fFyyKjiYIiLmK3qhr
+7sc+tN90HY443qN4JV1rwHP4jN57pmNZ2qg2CbzU/zpePUHj5MlM3kgGd5bO5Q6L
+MWmstO/RcjIIsZusqscrOGsaZrkULTeLyrOTLoJcM06b0F4vzeDwhLJjVoqYFVt5
+dPXLXygUfVUr+aAvCfNA03zokt6Ok9aSOBZZ8+nMPLU6wmWjjIdOf0/H9JG3/v6F
+SGHVxlB4Z7sCkDzvmB/vmYquGw+gx+0Fx28eEV4E7TnrJrdlqC5n8wrPO9iFQ36y
+QEua+S/q7qHSUBr01DW35e70oiJmbOqSH+poPVz2Qwk3ZVgcqIxCUpz6aWPjAicL
+7VMYBssX6R5cCD3nIuHSe1+Iyx/AuFP7nuPHQrkIAKsDMVZR8GClNz+M8ZM7Cbar
+a6YUUR/D
+=FN1F
+-----END PGP SIGNATURE-----

strongswan-5.9.9.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5e16580998834658c17cebfb31dd637e728669cf2fdd325460234a4643b8d81d
-size 4764675

strongswan-5.9.9.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmOxaKcACgkQ30LBcLNN
-uneBbgv8DTvNTm48iRhC2MisT87T5oHtMtq3iCFuhXxP2X1t53e8E4eLFx837hCO
-AdTbR6CeQRyEjW+scTmTv1mmY0WGKb6npfwyCxb9qteIu3Sf21MNSqZ1Va7WMh7d
-0fm7ezF6dgxkRcmVFF+4jwwsMTx6u54I9QSsdcJ1b1u4FWThOLtCrBA7qMnxGaGN
-9whbBJB8DIZhXYF9BDRftLZ1rXoERAmXxXxt/a+vhikv0Sw/NlZTJaHsf4l/8w+p
-yWkdXm5WUo95Ilv+cboVHcqx8StTU+xSbyrZxQul3B8zG5fc7yyA3H8dR8K1fBbi
-CiBOPnQHL1m8iDSbmV7Nm6xalKwZXffLaLwnBcqfSX0JC7ZRnDfjOT/mTdPhpkoH
-JzEEDFl3iEAJGbvb5Bvyn4Q98gZOzWWsxtxWpHUzoPjVd/HFx4w95Wcod/+4JhVE
-wfHIOzALmFk7LWzCpiN4heW103ilGCJ3/n2OVn4j+3maZ01tK8hNIxWNTKYYhpbI
-eBmb+TNc
-=gp/t
------END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Thu Mar  2 13:34:37 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 5.9.10
+  * Fixed a vulnerability related to certificate verification in
+    TLS-based EAP methods that leads to an authentication bypass
+    followed by an expired pointer dereference that results in a
+    denial of service but possibly even remote code execution.
+    [CVE-2023-26463]
+  * Added support for full packet hardware offload for IPsec SAs
+    and policies, which has been introduced with the Linux 6.2
+    kernel, to the kernel-netlink plugin. Bypass policies for the
+    IKE ports are automatically offloaded to devices that support
+    this type of offloading.
+  * TLS-based EAP methods use the key derivation specified in
+    draft-ietf-emu-tls-eap-types when used with TLS 1.3.
+  * Routes via XFRM interfaces can now optionally be installed
+    automatically by enabling the
+    charon.plugins.kernel-netlink.install_routes_xfrmi option.
+- Remove CVE-2023-26463_tls_auth_bypass_exp_pointer.patch
+
 -------------------------------------------------------------------
 Thu Mar  2 12:26:39 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
 

strongswan.spec

@@ -17,7 +17,7 @@
 
 
 Name:           strongswan
-Version:        5.9.9
+Version:        5.9.10
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
@@ -81,7 +81,6 @@ Patch3:         %{name}_fipscheck.patch
 %endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
 Patch6:         harden_strongswan.service.patch
-Patch7:         CVE-2023-26463_tls_auth_bypass_exp_pointer.patch
 BuildRequires:  bison
 BuildRequires:  curl-devel
 BuildRequires:  flex
@@ -270,7 +269,6 @@ sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
      > _fipscheck
 %endif
 %patch6 -p1
-%patch7 -p1
 
 %build
 CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"