From 90af4f16c5ce6c8c9584981bfbcbfcd3cef2cded Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Fri, 1 Nov 2013 10:54:27 -0300 Subject: [PATCH] strongswan: add security patches Security patches to fix CVE-2013-5018, CVE-2013-6075 and CVE-2013-6076. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- .../strongswan-0003-CVE-2013-5018-fix.patch | 29 +++++++++++++++++++ .../strongswan-0004-CVE-2013-6075-fix.patch | 27 +++++++++++++++++ .../strongswan-0005-CVE-2013-6076-fix.patch | 27 +++++++++++++++++ 3 files changed, 83 insertions(+) create mode 100644 package/strongswan/strongswan-0003-CVE-2013-5018-fix.patch create mode 100644 package/strongswan/strongswan-0004-CVE-2013-6075-fix.patch create mode 100644 package/strongswan/strongswan-0005-CVE-2013-6076-fix.patch diff --git a/package/strongswan/strongswan-0003-CVE-2013-5018-fix.patch b/package/strongswan/strongswan-0003-CVE-2013-5018-fix.patch new file mode 100644 index 000000000..e30ac31df --- /dev/null +++ b/package/strongswan/strongswan-0003-CVE-2013-5018-fix.patch @@ -0,0 +1,29 @@ +From 057265e0183ddf52d56f21adaf0db0f3dc6585a4 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Mon, 29 Jul 2013 23:45:38 +0200 +Subject: [PATCH] asn1: Fix handling of invalid ASN.1 length in is_asn1() + +Fixes CVE-2013-5018. +--- + src/libstrongswan/asn1/asn1.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c +index 68f37f4..d860ad9 100644 +--- a/src/libstrongswan/asn1/asn1.c ++++ b/src/libstrongswan/asn1/asn1.c +@@ -642,6 +642,11 @@ bool is_asn1(chunk_t blob) + + len = asn1_length(&blob); + ++ if (len == ASN1_INVALID_LENGTH) ++ { ++ return FALSE; ++ } ++ + /* exact match */ + if (len == blob.len) + { +-- +1.7.10.4 + diff --git a/package/strongswan/strongswan-0004-CVE-2013-6075-fix.patch b/package/strongswan/strongswan-0004-CVE-2013-6075-fix.patch new file mode 100644 index 000000000..d50616a60 --- /dev/null +++ b/package/strongswan/strongswan-0004-CVE-2013-6075-fix.patch @@ -0,0 +1,27 @@ +From aa277adfc204b6bda2c3792710138f9a8723a8f1 Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Mon, 7 Oct 2013 14:21:57 +0200 +Subject: [PATCH] identification: Properly check length before comparing for + binary DN equality + +Fixes CVE-2013-6075. +--- + src/libstrongswan/utils/identification.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c +index 5df3e5f..9c43ad5 100644 +--- a/src/libstrongswan/utils/identification.c ++++ b/src/libstrongswan/utils/identification.c +@@ -602,7 +602,7 @@ static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc) + } + } + /* try a binary compare */ +- if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len)) ++ if (chunk_equals(t_dn, o_dn)) + { + return TRUE; + } +-- +1.8.1.2 + diff --git a/package/strongswan/strongswan-0005-CVE-2013-6076-fix.patch b/package/strongswan/strongswan-0005-CVE-2013-6076-fix.patch new file mode 100644 index 000000000..51f0ae37d --- /dev/null +++ b/package/strongswan/strongswan-0005-CVE-2013-6076-fix.patch @@ -0,0 +1,27 @@ +From d8867a8452eece3fffab29605f48e6bed47c42d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Volker=20R=C3=BCmelin?= +Date: Fri, 11 Oct 2013 09:38:24 +0200 +Subject: [PATCH] ikev1: Properly initialize list of fragments in case fragment + ID is 0 + +Fixes CVE-2013-6076. +--- + src/libcharon/sa/ikev1/task_manager_v1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c +index 6d4ef14..597416e 100644 +--- a/src/libcharon/sa/ikev1/task_manager_v1.c ++++ b/src/libcharon/sa/ikev1/task_manager_v1.c +@@ -1273,7 +1273,7 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg) + return FAILED; + } + +- if (this->frag.id != payload->get_id(payload)) ++ if (!this->frag.list || this->frag.id != payload->get_id(payload)) + { + clear_fragments(this, payload->get_id(payload)); + this->frag.list = linked_list_create(); +-- +1.8.1.2 +