diff mbox series

[meta-networking,kirkstone] strongswan: Backport fix for CVE-2023-41913

Message ID 20231215040601.391295-1-vanusuri@mvista.com
State New
Headers show
Series [meta-networking,kirkstone] strongswan: Backport fix for CVE-2023-41913 | expand

Commit Message

Vijay Anusuri Dec. 15, 2023, 4:06 a.m. UTC 
From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch]

Reference: https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-(cve-2023-41913).html

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../strongswan/files/CVE-2023-41913.patch     | 46 +++++++++++++++++++
 .../strongswan/strongswan_5.9.6.bb            |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch
new file mode 100644
index 000000000..c0de1f158
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch
@@ -0,0 +1,46 @@ 
+From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 11 Jul 2023 12:12:25 +0200
+Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
+ overflow
+
+Seems this was forgotten in the referenced commit and actually could lead
+to a buffer overflow.  Since charon-tkm is untrusted this isn't that
+much of an issue but could at least be easily exploited for a DoS attack
+as DH public values are set when handling IKE_SA_INIT requests.
+
+Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
+Fixes: CVE-2023-41913
+
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch]
+CVE: CVE-2023-41913
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+index 2b2d103d03e9..6999ad360d7e 100644
+--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
+ 	return TRUE;
+ }
+ 
+-
+ METHOD(diffie_hellman_t, set_other_public_value, bool,
+ 	private_tkm_diffie_hellman_t *this, chunk_t value)
+ {
+ 	dh_pubvalue_type othervalue;
++
++	if (!key_exchange_verify_pubkey(this->group, value) ||
++		value.len > sizeof(othervalue.data))
++	{
++		return FALSE;
++	}
+ 	othervalue.size = value.len;
+ 	memcpy(&othervalue.data, value.ptr, value.len);
+ 
+-- 
+2.34.1
+
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb
index b8d44db26..c4ff80973 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.6.bb
@@ -11,6 +11,7 @@  DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '  tpm2-tss',
 SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://0001-enum-Fix-compiler-warning.patch \
            file://CVE-2022-40617.patch \
+           file://CVE-2023-41913.patch \
            "
 
 SRC_URI[sha256sum] = "91d0978ac448912759b85452d8ff0d578aafd4507aaf4f1c1719f9d0c7318ab7"