aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/strongswan/APKBUILD8
-rw-r--r--main/strongswan/CVE-2017-11185.patch50
2 files changed, 57 insertions, 1 deletions
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD
index 584e5c9723..f84e7948b9 100644
--- a/main/strongswan/APKBUILD
+++ b/main/strongswan/APKBUILD
@@ -3,7 +3,7 @@
pkgname=strongswan
pkgver=5.3.5
_pkgver=${pkgver//_rc/rc}
-pkgrel=3
+pkgrel=4
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="http://www.strongswan.org/"
arch="all"
@@ -25,6 +25,7 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
2001-support-gre-key-in-ikev1.patch
CVE-2017-9022.patch
CVE-2017-9023.patch
+ CVE-2017-11185.patch
strongswan.initd
charon.initd"
@@ -32,6 +33,8 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
_builddir="$srcdir/$pkgname-$_pkgver"
# secfixes:
+# 5.3.5-r4:
+# - CVE-2017-11185
# 5.3.5-r2:
# - CVE-2017-9022
# - CVE-2017-9023
@@ -129,6 +132,7 @@ md5sums="a2f9ea185f27e7f8413d4cd2ee61efe4 strongswan-5.3.5.tar.bz2
ccb77ee342e1b3108a49262549bbbf36 2001-support-gre-key-in-ikev1.patch
e86511ed5f224224cc479d34d7690f51 CVE-2017-9022.patch
54049b04a17893f0042509b1f5751bfe CVE-2017-9023.patch
+5676d26b3fb36a2529b5b53e1f2a992a CVE-2017-11185.patch
72a956819c451931d3d31a528a0d1b9c strongswan.initd
a7993f28e4eacc61f51722044645587e charon.initd"
sha256sums="2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 strongswan-5.3.5.tar.bz2
@@ -140,6 +144,7 @@ sha256sums="2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 st
bbdbc73ba6cafaaab1ea303eec6d026ebb50ecd12b7c32be0b4dfeaf8ae24245 2001-support-gre-key-in-ikev1.patch
f5ba7f46cf7ae81dd81bc86f9e4cfa0c5c7c6987149b3bc9c0b8bf08598a1063 CVE-2017-9022.patch
03db8c7a4133e877e8992e155c046dd27ec4810d50f239abf55595f0280caf31 CVE-2017-9023.patch
+c80e02c9a5eeaf10f0a8bdde3be6375dd2833e515af03dad3a700e93c4fd041a CVE-2017-11185.patch
fdb781fa59700ca83b9fd2f2ff0b9c45467448ebd82da96286b3e2aa477ef7f4 strongswan.initd
7bcc57e4a778f87645c6b9d76ba2c04e1c11c326bc9a4968561788711c7fe58a charon.initd"
sha512sums="4e6dd124d9a73ad5baf08998a284aba5c02c9dc79e4377e2cbd14c285d1df8e29c0548d347a0fdfa19341b1ae27b560ae9d8d25260898630351230b11c6eb2bb strongswan-5.3.5.tar.bz2
@@ -151,5 +156,6 @@ dd6d8bad4de89d77d92c93c890935880eaa55dc056eac92100fe034c1c045e0771995db58f9787a9
0e554a6117f51a564a1b269c9ed2f2858d22ef61df483e2eb09997a3075444deb10df9d0cc8b9ddbe2bb2f740640860c21b1492a9ec28657844fa9c41b822bfc 2001-support-gre-key-in-ikev1.patch
667bbce53de819ac1c885d451b821520d70384d9c4d6d437c6bac571b9e5ab0a74344249aa967f625f4665bcd3d9d2cb62b465838d68aea2dae5e4f52e3e64fd CVE-2017-9022.patch
44bc2802bf5bf093e3ea17fedc7b50d3ee3d7bf22c097b02a368c9ddf9772e2c13efe72c8b41ff173d2ef4c80cd1981a3db892c5cb2f05ccac627b294cde3e3d CVE-2017-9023.patch
+276bcbd0cd3c550ddd4b3f5dfbcb490bb1e50ec8ed97789944409e3c05232903b99332c653cec9c9cf46eab445fd67113d1babef32156b1a5c77a68d2b83260b CVE-2017-11185.patch
8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9 strongswan.initd
1c44c801f66305c0331f76e580c0d60f1b7d5cd3cc371be55826b06c3899f542664628a912a7fb48626e34d864f72ca5dcd34b2f0d507c4f19c510d0047054c1 charon.initd"
diff --git a/main/strongswan/CVE-2017-11185.patch b/main/strongswan/CVE-2017-11185.patch
new file mode 100644
index 0000000000..f062fdd8f0
--- /dev/null
+++ b/main/strongswan/CVE-2017-11185.patch
@@ -0,0 +1,50 @@
+From ed282e9a463c068146c945984fdea7828e663861 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 29 May 2017 11:59:34 +0200
+Subject: [PATCH] gmp: Fix RSA signature verification for m >= n
+
+By definition, m must be <= n-1, we didn't enforce that and because
+mpz_export() returns NULL if the passed value is zero a crash could have
+been triggered with m == n.
+
+Fixes CVE-2017-11185.
+---
+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+index 32a72ac9600b..a741f85d4f62 100644
+--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+@@ -78,11 +78,17 @@ static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data)
+ mpz_t m, c;
+ chunk_t encrypted;
+
+- mpz_init(c);
+ mpz_init(m);
+-
+ mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
+
++ if (mpz_cmp_ui(m, 0) <= 0 || mpz_cmp(m, this->n) >= 0)
++ { /* m must be <= n-1, but 0 is a valid value, doesn't really make sense
++ * here, though */
++ mpz_clear(m);
++ return chunk_empty;
++ }
++
++ mpz_init(c);
+ mpz_powm(c, m, this->e, this->n);
+
+ encrypted.len = this->k;
+@@ -150,7 +156,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
+ */
+
+ /* check magic bytes */
+- if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
++ if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
+ {
+ goto end;
+ }
+--
+2.7.4
+