folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[AUTO-CHERRYPICK] strongSwan: CVE-2023-41913 - branch main (#7019) 

Co-authored-by: elainezhao96 <102555676+elainezhao96@users.noreply.github.com>
This commit is contained in:
CBL-Mariner-Bot 2023-12-19 08:47:28 -08:00 committed by GitHub
parent d3735ca1f1
commit 208400264b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
SPECS/strongswan/strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch Normal file
View File

@ -0,0 +1,41 @@
From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 11 Jul 2023 12:12:25 +0200
Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
overflow
Seems this was forgotten in the referenced commit and actually could lead
to a buffer overflow. Since charon-tkm is untrusted this isn't that
much of an issue but could at least be easily exploited for a DoS attack
as DH public values are set when handling IKE_SA_INIT requests.
Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
Fixes: CVE-2023-41913
---
src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 2b2d103d03e9..6999ad360d7e 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
return TRUE;
}
-
METHOD(key_exchange_t, set_public_key, bool,
private_tkm_diffie_hellman_t *this, chunk_t value)
{
dh_pubvalue_type othervalue;
+
+ if (!key_exchange_verify_pubkey(this->group, value) ||
+ value.len > sizeof(othervalue.data))
+ {
+ return FALSE;
+ }
othervalue.size = value.len;
memcpy(&othervalue.data, value.ptr, value.len);
--
2.34.1

6
SPECS/strongswan/strongswan.spec
View File

@ -1,7 +1,7 @@
Summary: The OpenSource IPsec-based VPN Solution
Name: strongswan
Version: 5.9.10
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
@ -10,6 +10,7 @@ URL: https://www.strongswan.org/
Source0: https://download.strongswan.org/%{name}-%{version}.tar.bz2
Patch0: strongswan-fix-make-check.patch
Patch1: 0001-Extending-timeout-for-test-cases-with-multiple-read-.patch
Patch2: strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch
BuildRequires: autoconf
BuildRequires: gmp-devel
@ -51,6 +52,9 @@ make check
%{_datadir}/strongswan/*
%changelog
* Wed Dec 13 2023 Elaine Zhao <@microsoft.com> - 5.9.10-3
- Fix for CVE-2023-41913
* Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 5.9.10-2
- Recompile with stack-protection fixed gcc version (CVE-2023-4039)