Date: Sat, 4 Mar 2023 06:32:45 GMT From: Eugene Grosbein <eugen@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: c703ad728b40 - main - security/strongswan: fix CVE-2023-26463 Message-ID: <202303040632.3246WjBW016557@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by eugen: URL: https://cgit.FreeBSD.org/ports/commit/?id=c703ad728b40f1b323b3b388745f03e2c279ccfb commit c703ad728b40f1b323b3b388745f03e2c279ccfb Author: Eugene Grosbein <eugen@FreeBSD.org> AuthorDate: 2023-03-04 06:26:38 +0000 Commit: Eugene Grosbein <eugen@FreeBSD.org> CommitDate: 2023-03-04 06:31:16 +0000 security/strongswan: fix CVE-2023-26463 This is urgent change adding official patch https://download.strongswan.org/security/CVE-2023-26463/strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch It is upto port maintainer to review and maybe upgrade the port to 5.9.10. Obtained from: strongSwan Security: CVE-2023-26463 --- security/strongswan/Makefile | 2 +- .../strongswan/files/patch-src_libtls_tls_server.c | 48 ++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile index 0654cc82aa70..0870d891ebce 100644 --- a/security/strongswan/Makefile +++ b/security/strongswan/Makefile @@ -1,6 +1,6 @@ PORTNAME= strongswan DISTVERSION= 5.9.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security net-vpn MASTER_SITES= https://download.strongswan.org/ \ https://download2.strongswan.org/ diff --git a/security/strongswan/files/patch-src_libtls_tls_server.c b/security/strongswan/files/patch-src_libtls_tls_server.c new file mode 100644 index 000000000000..5bd53faab6fb --- /dev/null +++ b/security/strongswan/files/patch-src_libtls_tls_server.c @@ -0,0 +1,48 @@ +From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 17 Feb 2023 15:07:20 +0100 +Subject: [PATCH] libtls: Fix authentication bypass and expired pointer + dereference + +`public` is returned, but previously only if a trusted key was found. +We obviously don't want to return untrusted keys. However, since the +reference is released after determining the key type, the returned +object also doesn't have the correct refcount. + +So when the returned reference is released after verifying the TLS +signature, the public key object is actually destroyed. The certificate +object then points to an expired pointer, which is dereferenced once it +itself is destroyed after the authentication is complete. Depending on +whether the pointer is valid (i.e. points to memory allocated to the +process) and what was allocated there after the public key was freed, +this could result in a segmentation fault or even code execution. + +Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type") +Fixes: CVE-2023-26463 +--- + src/libtls/tls_server.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c +index c9c300917dd6..573893f2efb5 100644 +--- src/libtls/tls_server.c ++++ src/libtls/tls_server.c +@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id) + cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); + if (cert) + { +- public = cert->get_public_key(cert); +- if (public) ++ current = cert->get_public_key(cert); ++ if (current) + { +- key_type = public->get_type(public); +- public->destroy(public); ++ key_type = current->get_type(current); ++ current->destroy(current); + } + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + key_type, id, peer_auth, TRUE); +-- +2.25.1 +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202303040632.3246WjBW016557>