Date: Fri, 24 Nov 2023 08:06:28 GMT From: Eugene Grosbein <eugen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 4e2c0382dd6c - main - security/strongswan: fix CVE-2023-41913 Message-ID: <202311240806.3AO86SBL012871@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by eugen: URL: https://cgit.FreeBSD.org/ports/commit/?id=4e2c0382dd6c024d5349318f9a18762b3814ef9a commit 4e2c0382dd6c024d5349318f9a18762b3814ef9a Author: Eugene Grosbein <eugen@FreeBSD.org> AuthorDate: 2023-11-24 08:03:00 +0000 Commit: Eugene Grosbein <eugen@FreeBSD.org> CommitDate: 2023-11-24 08:03:00 +0000 security/strongswan: fix CVE-2023-41913 This is urgent change adding official patch https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch that is identical to the change made for strongswan-5.9.12: https://github.com/strongswan/strongswan/commit/96d793718955820dfe5e6d8aa6127a34795ae39e It is upto port maintainer to review and maybe upgrade the port to 5.9.12 Obtained from: strongSwan Security: CVE-2023-41913 --- security/strongswan/Makefile | 2 +- ...swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c | 42 ++++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile index f6fe9d669352..c7972b9ca9b6 100644 --- a/security/strongswan/Makefile +++ b/security/strongswan/Makefile @@ -1,6 +1,6 @@ PORTNAME= strongswan DISTVERSION= 5.9.11 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security net-vpn MASTER_SITES= https://download.strongswan.org/ \ https://download2.strongswan.org/ diff --git a/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c b/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c new file mode 100644 index 000000000000..f70c02446427 --- /dev/null +++ b/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c @@ -0,0 +1,42 @@ +From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 11 Jul 2023 12:12:25 +0200 +Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer + overflow + +Seems this was forgotten in the referenced commit and actually could lead +to a buffer overflow. Since charon-tkm is untrusted this isn't that +much of an issue but could at least be easily exploited for a DoS attack +as DH public values are set when handling IKE_SA_INIT requests. + +Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") +Fixes: CVE-2023-41913 +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 2b2d103d03e9..6999ad360d7e 100644 +--- src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, + return TRUE; + } + +- + METHOD(key_exchange_t, set_public_key, bool, + private_tkm_diffie_hellman_t *this, chunk_t value) + { + dh_pubvalue_type othervalue; ++ ++ if (!key_exchange_verify_pubkey(this->group, value) || ++ value.len > sizeof(othervalue.data)) ++ { ++ return FALSE; ++ } + othervalue.size = value.len; + memcpy(&othervalue.data, value.ptr, value.len); + +-- +2.34.1 +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202311240806.3AO86SBL012871>