[Pkg-swan-devel] [Git][debian/strongswan][debian/bullseye-security] 5 commits: d/patches: add fix for CVE-2023-41913

Yves-Alexis Perez (@corsac) gitlab at salsa.debian.org
Sun Jan 21 13:50:11 GMT 2024 


Yves-Alexis Perez pushed to branch debian/bullseye-security at Debian / strongswan


Commits:
f7871e68 by Yves-Alexis Perez at 2023-11-13T22:20:53+01:00
d/patches: add fix for CVE-2023-41913

Buffer Overflow When Handling DH Public Values

- - - - -
1c076bd1 by Yves-Alexis Perez at 2023-11-13T22:21:58+01:00
finalize changelog

- - - - -
8fa76b9b by Yves-Alexis Perez at 2023-11-13T22:22:16+01:00
upload strongSwan 5.9.1-1+deb11u4 to bullseye-security

- - - - -
1f530bed by Yves-Alexis Perez at 2024-01-21T14:46:59+01:00
d/patch: fix patch to use correct fonction name

- - - - -
178dce00 by Yves-Alexis Perez at 2024-01-21T14:49:50+01:00
update changelog

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0010-charon-tkm-Validate-DH-public-key-to-fix-potential-b.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,16 @@
+strongswan (5.9.1-1+deb11u5) UNRELEASED; urgency=medium
+
+  * d/patch: fix patch to use correct fonction name
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Sun, 21 Jan 2024 14:49:43 +0100
+
+strongswan (5.9.1-1+deb11u4) bullseye-security; urgency=medium
+
+  * d/patches: add fix for CVE-2023-41913 in charon-tkm
+    Buffer Overflow When Handling DH Public Values
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Mon, 13 Nov 2023 22:22:03 +0100
+
 strongswan (5.9.1-1+deb11u3) bullseye-security; urgency=medium
 
   * d/p/0009-credential-manager-Do-online-revocation-checks-only- added.


=====================================
debian/patches/0010-charon-tkm-Validate-DH-public-key-to-fix-potential-b.patch
=====================================
@@ -0,0 +1,42 @@
+From 9076b3cc9b7aff863b934454e1289d43d3ae3a4a Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias at strongswan.org>
+Date: Tue, 11 Jul 2023 12:12:25 +0200
+Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
+ overflow
+
+Seems this was forgotten in the referenced commit and actually could lead
+to a buffer overflow.  Since charon-tkm is untrusted this isn't that
+much of an issue but could at least be easily exploited for a DoS attack
+as DH public values are set when handling IKE_SA_INIT requests.
+
+Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
+Fixes: CVE-2023-41913
+---
+ src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+index 41b557edc213..03cbf6be7962 100644
+--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+@@ -69,11 +69,16 @@ METHOD(diffie_hellman_t, get_shared_secret, bool,
+ 	return TRUE;
+ }
+ 
+-
+ METHOD(diffie_hellman_t, set_other_public_value, bool,
+ 	private_tkm_diffie_hellman_t *this, chunk_t value)
+ {
+ 	dh_pubvalue_type othervalue;
++
++	if (!diffie_hellman_verify_value(this->group, value) ||
++		value.len > sizeof(othervalue.data))
++	{
++		return FALSE;
++	}
+ 	othervalue.size = value.len;
+ 	memcpy(&othervalue.data, value.ptr, value.len);
+ 
+-- 
+2.34.1
+


=====================================
debian/patches/series
=====================================
@@ -7,3 +7,4 @@ dont-load-kernel-libipsec-plugin-by-default.patch
 0007-Reject-RSASSA-PSS-params-with-negative-salt-length.patch
 0008-eap-authenticator-Enforce-failure-if-MSK-generation-.patch
 0009-credential-manager-Do-online-revocation-checks-only-.patch
+0010-charon-tkm-Validate-DH-public-key-to-fix-potential-b.patch



View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/af8f9c3129d81376424d58785b82f3a3dff3b022...178dce00066cffe72b0b7f7969b4a913d813b030

-- 
View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/af8f9c3129d81376424d58785b82f3a3dff3b022...178dce00066cffe72b0b7f7969b4a913d813b030
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20240121/585ac703/attachment-0001.htm>

More information about the Pkg-swan-devel mailing list