diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2015-12-04 07:15:35 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2015-12-04 07:15:35 +0000 |
| commit | e5f15c5c5e04dd9392353656258dd3d4c8cb2fbb (patch) | |
| tree | af215be638648b403a202a5c7842e5539ec7e809 | |
| parent | 74bbd576aaf60ab32508ade53f35acb530c46b6a (diff) | |
| download | aports-e5f15c5c5e04dd9392353656258dd3d4c8cb2fbb.tar.bz2 aports-e5f15c5c5e04dd9392353656258dd3d4c8cb2fbb.tar.xz | |
main/strongswan: security fix CVE-2015-8023. Fixes #4878
| -rw-r--r-- | main/strongswan/APKBUILD | 15 | ||||
| -rw-r--r-- | main/strongswan/CVE-2015-8023.patch | 34 |
2 files changed, 44 insertions, 5 deletions
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 26c649fbc1..6c45d36dd1 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=strongswan pkgver=5.2.2 -pkgrel=0 +pkgrel=1 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -13,7 +13,9 @@ makedepends="$depends_dev" install="" subpackages="$pkgname-doc" source="http://download.strongswan.org/$pkgname-$pkgver.tar.bz2 - strongswan.initd" + strongswan.initd + CVE-2015-8023.patch + " _builddir="$srcdir/$pkgname-$pkgver" prepare() { @@ -91,8 +93,11 @@ package() { } md5sums="7ee1a33060b2bde35be0f6d78a1d26d0 strongswan-5.2.2.tar.bz2 -fb9822512d02f521af8812db22a5175e strongswan.initd" +fb9822512d02f521af8812db22a5175e strongswan.initd +ad2433a351cf491f60f587d4895b0ad2 CVE-2015-8023.patch" sha256sums="cf2fbfdf200a5eced796f00dc11fea67ce477d38c54d5f073ac6c51618b172f4 strongswan-5.2.2.tar.bz2 -e4add8941d545930bba43d7d3af302bc436d7c0264a2796480226567e2b12e54 strongswan.initd" +e4add8941d545930bba43d7d3af302bc436d7c0264a2796480226567e2b12e54 strongswan.initd +a3ed08c7fc2a7d5876109b9c561e0412b917708921a966a9c79de62db10a9881 CVE-2015-8023.patch" sha512sums="80ae5551d16e8ddcff71426c1ec996388f32cec8a027f722e8f5151cdd67f09d65705a702ff8c3f2702dca6470e525eb2af2459f7ced9d5923570a331491d534 strongswan-5.2.2.tar.bz2 -2f2936865e494a9454329867acfb71ca323f90dec526a97f7d0c18422deb54205f81f9f592ed6c3b474fe5e954ebcb90eed0311e52fa3a86a982d80ba9a45be8 strongswan.initd" +2f2936865e494a9454329867acfb71ca323f90dec526a97f7d0c18422deb54205f81f9f592ed6c3b474fe5e954ebcb90eed0311e52fa3a86a982d80ba9a45be8 strongswan.initd +c4306f57a24563c4c8fd9d6d7c4bf579433d0b98462058b811265cc918a44e105d4ac08d830d025fcff1d43dcc96f8eb3c3651d2ee50978586fa2f9f0087a99b CVE-2015-8023.patch" diff --git a/main/strongswan/CVE-2015-8023.patch b/main/strongswan/CVE-2015-8023.patch new file mode 100644 index 0000000000..e519a1f0e5 --- /dev/null +++ b/main/strongswan/CVE-2015-8023.patch @@ -0,0 +1,34 @@ +From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 29 Oct 2015 11:18:27 +0100 +Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was + established + +An MSK is only established if the client successfully authenticated +itself and only then must we accept an MSCHAPV2_SUCCESS message. + +Fixes CVE-2015-8023 +--- + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +index f7f39f9841d2..931e3c41dde4 100644 +--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c ++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t, + } + case MSCHAPV2_SUCCESS: + { +- return SUCCESS; ++ if (this->msk.ptr) ++ { ++ return SUCCESS; ++ } ++ break; + } + case MSCHAPV2_FAILURE: + { +-- +1.9.1 + |