Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 4 Mar 2023 06:32:45 GMT
From:      Eugene Grosbein <eugen@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: c703ad728b40 - main - security/strongswan: fix CVE-2023-26463
Message-ID:  <202303040632.3246WjBW016557@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by eugen:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c703ad728b40f1b323b3b388745f03e2c279ccfb

commit c703ad728b40f1b323b3b388745f03e2c279ccfb
Author:     Eugene Grosbein <eugen@FreeBSD.org>
AuthorDate: 2023-03-04 06:26:38 +0000
Commit:     Eugene Grosbein <eugen@FreeBSD.org>
CommitDate: 2023-03-04 06:31:16 +0000

    security/strongswan: fix CVE-2023-26463
    
    This is urgent change adding official patch
    https://download.strongswan.org/security/CVE-2023-26463/strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch
    
    It is upto port maintainer to review and maybe upgrade
    the port to 5.9.10.
    
    Obtained from:  strongSwan
    Security:       CVE-2023-26463
---
 security/strongswan/Makefile                       |  2 +-
 .../strongswan/files/patch-src_libtls_tls_server.c | 48 ++++++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile
index 0654cc82aa70..0870d891ebce 100644
--- a/security/strongswan/Makefile
+++ b/security/strongswan/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	strongswan
 DISTVERSION=	5.9.9
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security net-vpn
 MASTER_SITES=	https://download.strongswan.org/ \
 		https://download2.strongswan.org/
diff --git a/security/strongswan/files/patch-src_libtls_tls_server.c b/security/strongswan/files/patch-src_libtls_tls_server.c
new file mode 100644
index 000000000000..5bd53faab6fb
--- /dev/null
+++ b/security/strongswan/files/patch-src_libtls_tls_server.c
@@ -0,0 +1,48 @@
+From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Feb 2023 15:07:20 +0100
+Subject: [PATCH] libtls: Fix authentication bypass and expired pointer
+ dereference
+
+`public` is returned, but previously only if a trusted key was found.
+We obviously don't want to return untrusted keys.  However, since the
+reference is released after determining the key type, the returned
+object also doesn't have the correct refcount.
+
+So when the returned reference is released after verifying the TLS
+signature, the public key object is actually destroyed.  The certificate
+object then points to an expired pointer, which is dereferenced once it
+itself is destroyed after the authentication is complete.  Depending on
+whether the pointer is valid (i.e. points to memory allocated to the
+process) and what was allocated there after the public key was freed,
+this could result in a segmentation fault or even code execution.
+
+Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type")
+Fixes: CVE-2023-26463
+---
+ src/libtls/tls_server.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
+index c9c300917dd6..573893f2efb5 100644
+--- src/libtls/tls_server.c
++++ src/libtls/tls_server.c
+@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id)
+ 	cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
+ 	if (cert)
+ 	{
+-		public = cert->get_public_key(cert);
+-		if (public)
++		current = cert->get_public_key(cert);
++		if (current)
+ 		{
+-			key_type = public->get_type(public);
+-			public->destroy(public);
++			key_type = current->get_type(current);
++			current->destroy(current);
+ 		}
+ 		enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+ 											key_type, id, peer_auth, TRUE);
+-- 
+2.25.1
+



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202303040632.3246WjBW016557>