Patchwork [meta-networking] strongswan: Security Advisory - strongswan - CVE-2014-2891

login
register
mail settings
Submitter jackie huang
Date July 28, 2014, 8:17 a.m.
Message ID <1406535425-28139-1-git-send-email-jackie.huang@windriver.com>
Download mbox | patch
Permalink /patch/76743/
State Accepted, archived
Headers show

Comments

jackie huang - July 28, 2014, 8:17 a.m.
From: Yue Tao <Yue.Tao@windriver.com>

strongSwan before 5.1.2 allows remote attackers to cause a denial of
service (NULL pointer dereference and IKE daemon crash) via a crafted
ID_DER_ASN1_DN ID payload.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2891

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch | 28 ++++++++++++++++++++++
 .../recipes-support/strongswan/strongswan_5.1.1.bb |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch

Patch

diff --git a/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch b/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch
new file mode 100644
index 0000000..374f2cf
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch
@@ -0,0 +1,28 @@ 
+strongswan: asn1: Properly check length in asn1_unwrap()
+
+Fixes CVE-2014-2891 in strongSwan releases 4.3.3-5.1.1.
+
+Upstream-Status: Pending
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ src/libstrongswan/asn1/asn1.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
+index d860ad9..9a5f5c5 100644
+--- a/src/libstrongswan/asn1/asn1.c
++++ b/src/libstrongswan/asn1/asn1.c
+@@ -296,7 +296,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner)
+ 	else
+ 	{	/* composite length, determine number of length octets */
+ 		len &= 0x7f;
+-		if (len == 0 || len > sizeof(res.len))
++		if (len == 0 || len > blob->len || len > sizeof(res.len))
+ 		{
+ 			return ASN1_INVALID;
+ 		}
+-- 
+1.7.10.4
+
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb b/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb
index 821d965..cfa9abc 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb
@@ -10,6 +10,7 @@  DEPENDS = "gmp openssl flex-native flex bison-native"
 SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
         file://fix-funtion-parameter.patch \
         file://strongswan-5.0.0-5.1.2_reject_child_sa.patch \
+        file://strongswan-4.3.3-5.1.1_asn1_unwrap.patch \
 "
 
 SRC_URI[md5sum] = "e3af3d493d22286be3cd794533a8966a"