diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-10-23 14:37:04 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-10-23 14:48:25 +0000 |
| commit | a4e92d627f1b09c04531c883313a2d4a61fad83d (patch) | |
| tree | 1b9fec153e7538b9deca508b6ee9fb314f405ced | |
| parent | c197d93a92888b28527499e38839bc0f3c351f76 (diff) | |
| download | aports-a4e92d627f1b09c04531c883313a2d4a61fad83d.tar.bz2 aports-a4e92d627f1b09c04531c883313a2d4a61fad83d.tar.xz | |
main/strongswan: security fix (CVE-2017-11185)
fixes #7906
| -rw-r--r-- | main/strongswan/APKBUILD | 8 | ||||
| -rw-r--r-- | main/strongswan/CVE-2017-11185.patch | 50 |
2 files changed, 57 insertions, 1 deletions
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 584e5c9723..f84e7948b9 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -3,7 +3,7 @@ pkgname=strongswan pkgver=5.3.5 _pkgver=${pkgver//_rc/rc} -pkgrel=3 +pkgrel=4 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -25,6 +25,7 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 2001-support-gre-key-in-ikev1.patch CVE-2017-9022.patch CVE-2017-9023.patch + CVE-2017-11185.patch strongswan.initd charon.initd" @@ -32,6 +33,8 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 _builddir="$srcdir/$pkgname-$_pkgver" # secfixes: +# 5.3.5-r4: +# - CVE-2017-11185 # 5.3.5-r2: # - CVE-2017-9022 # - CVE-2017-9023 @@ -129,6 +132,7 @@ md5sums="a2f9ea185f27e7f8413d4cd2ee61efe4 strongswan-5.3.5.tar.bz2 ccb77ee342e1b3108a49262549bbbf36 2001-support-gre-key-in-ikev1.patch e86511ed5f224224cc479d34d7690f51 CVE-2017-9022.patch 54049b04a17893f0042509b1f5751bfe CVE-2017-9023.patch +5676d26b3fb36a2529b5b53e1f2a992a CVE-2017-11185.patch 72a956819c451931d3d31a528a0d1b9c strongswan.initd a7993f28e4eacc61f51722044645587e charon.initd" sha256sums="2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 strongswan-5.3.5.tar.bz2 @@ -140,6 +144,7 @@ sha256sums="2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 st bbdbc73ba6cafaaab1ea303eec6d026ebb50ecd12b7c32be0b4dfeaf8ae24245 2001-support-gre-key-in-ikev1.patch f5ba7f46cf7ae81dd81bc86f9e4cfa0c5c7c6987149b3bc9c0b8bf08598a1063 CVE-2017-9022.patch 03db8c7a4133e877e8992e155c046dd27ec4810d50f239abf55595f0280caf31 CVE-2017-9023.patch +c80e02c9a5eeaf10f0a8bdde3be6375dd2833e515af03dad3a700e93c4fd041a CVE-2017-11185.patch fdb781fa59700ca83b9fd2f2ff0b9c45467448ebd82da96286b3e2aa477ef7f4 strongswan.initd 7bcc57e4a778f87645c6b9d76ba2c04e1c11c326bc9a4968561788711c7fe58a charon.initd" sha512sums="4e6dd124d9a73ad5baf08998a284aba5c02c9dc79e4377e2cbd14c285d1df8e29c0548d347a0fdfa19341b1ae27b560ae9d8d25260898630351230b11c6eb2bb strongswan-5.3.5.tar.bz2 @@ -151,5 +156,6 @@ dd6d8bad4de89d77d92c93c890935880eaa55dc056eac92100fe034c1c045e0771995db58f9787a9 0e554a6117f51a564a1b269c9ed2f2858d22ef61df483e2eb09997a3075444deb10df9d0cc8b9ddbe2bb2f740640860c21b1492a9ec28657844fa9c41b822bfc 2001-support-gre-key-in-ikev1.patch 667bbce53de819ac1c885d451b821520d70384d9c4d6d437c6bac571b9e5ab0a74344249aa967f625f4665bcd3d9d2cb62b465838d68aea2dae5e4f52e3e64fd CVE-2017-9022.patch 44bc2802bf5bf093e3ea17fedc7b50d3ee3d7bf22c097b02a368c9ddf9772e2c13efe72c8b41ff173d2ef4c80cd1981a3db892c5cb2f05ccac627b294cde3e3d CVE-2017-9023.patch +276bcbd0cd3c550ddd4b3f5dfbcb490bb1e50ec8ed97789944409e3c05232903b99332c653cec9c9cf46eab445fd67113d1babef32156b1a5c77a68d2b83260b CVE-2017-11185.patch 8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9 strongswan.initd 1c44c801f66305c0331f76e580c0d60f1b7d5cd3cc371be55826b06c3899f542664628a912a7fb48626e34d864f72ca5dcd34b2f0d507c4f19c510d0047054c1 charon.initd" diff --git a/main/strongswan/CVE-2017-11185.patch b/main/strongswan/CVE-2017-11185.patch new file mode 100644 index 0000000000..f062fdd8f0 --- /dev/null +++ b/main/strongswan/CVE-2017-11185.patch @@ -0,0 +1,50 @@ +From ed282e9a463c068146c945984fdea7828e663861 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 29 May 2017 11:59:34 +0200 +Subject: [PATCH] gmp: Fix RSA signature verification for m >= n + +By definition, m must be <= n-1, we didn't enforce that and because +mpz_export() returns NULL if the passed value is zero a crash could have +been triggered with m == n. + +Fixes CVE-2017-11185. +--- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index 32a72ac9600b..a741f85d4f62 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -78,11 +78,17 @@ static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data) + mpz_t m, c; + chunk_t encrypted; + +- mpz_init(c); + mpz_init(m); +- + mpz_import(m, data.len, 1, 1, 1, 0, data.ptr); + ++ if (mpz_cmp_ui(m, 0) <= 0 || mpz_cmp(m, this->n) >= 0) ++ { /* m must be <= n-1, but 0 is a valid value, doesn't really make sense ++ * here, though */ ++ mpz_clear(m); ++ return chunk_empty; ++ } ++ ++ mpz_init(c); + mpz_powm(c, m, this->e, this->n); + + encrypted.len = this->k; +@@ -150,7 +156,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, + */ + + /* check magic bytes */ +- if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) ++ if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) + { + goto end; + } +-- +2.7.4 + |