diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-17 09:40:13 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-17 09:40:13 +0000 |
| commit | ca6f0ad926d2fabed66a049927cea2eb176581da (patch) | |
| tree | f8628a402e4a6f4f81be2b2963724e80c4a92e67 /main/openswan/openswan-libreswan-backport-949437-do_aes.patch | |
| parent | 8b2da88e8e533e78dfec86f9d1ed4e5cadfa4ca8 (diff) | |
| download | aports-ca6f0ad926d2fabed66a049927cea2eb176581da.tar.bz2 aports-ca6f0ad926d2fabed66a049927cea2eb176581da.tar.xz | |
main/openswan: securiy fix remote buffer overflow in atodn() (CVE-2013-2053)
patches are from http://libreswan.org/security/CVE-2013-2053/
fixes #1895
Diffstat (limited to 'main/openswan/openswan-libreswan-backport-949437-do_aes.patch')
| -rw-r--r-- | main/openswan/openswan-libreswan-backport-949437-do_aes.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/main/openswan/openswan-libreswan-backport-949437-do_aes.patch b/main/openswan/openswan-libreswan-backport-949437-do_aes.patch new file mode 100644 index 0000000000..aedb4d34ab --- /dev/null +++ b/main/openswan/openswan-libreswan-backport-949437-do_aes.patch @@ -0,0 +1,62 @@ +From ee267f812f6d72da400cc24265c399c3e9048a8a Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Wed, 10 Apr 2013 10:33:02 +0200 +Subject: [PATCH 07/10] do_aes: Abort on failure + +The routine cannot signal encryption failures to the caller +and would leave the buffer unencrypted on error. +--- + programs/pluto/ike_alg_aes.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/programs/pluto/ike_alg_aes.c b/programs/pluto/ike_alg_aes.c +index 1d4aada..95999bb 100644 +--- a/programs/pluto/ike_alg_aes.c ++++ b/programs/pluto/ike_alg_aes.c +@@ -48,7 +48,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t * + + if (symkey == NULL) { + loglog(RC_LOG_SERIOUS, "do_aes: NSS derived enc key in NULL\n"); +- goto out; ++ abort(); + } + + ivitem.type = siBuffer; +@@ -58,7 +58,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t * + secparam = PK11_ParamFromIV(ciphermech, &ivitem); + if (secparam == NULL) { + loglog(RC_LOG_SERIOUS, "do_aes: Failure to set up PKCS11 param (err %d)\n",PR_GetError()); +- goto out; ++ abort(); + } + + outlen = 0; +@@ -69,8 +69,15 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t * + } + + enccontext = PK11_CreateContextBySymKey(ciphermech, enc? CKA_ENCRYPT : CKA_DECRYPT, symkey, secparam); ++ if (enccontext == NULL) { ++ loglog(RC_LOG_SERIOUS, "do_aes: PKCS11 context creation failure (err %d)\n", PR_GetError()); ++ abort(); ++ } + rv = PK11_CipherOp(enccontext, tmp_buf, &outlen, buf_len, buf, buf_len); +- passert(rv==SECSuccess); ++ if (rv != SECSuccess) { ++ loglog(RC_LOG_SERIOUS, "do_aes: PKCS11 operation failure (err %d)\n", PR_GetError()); ++ abort(); ++ } + PK11_DestroyContext(enccontext, PR_TRUE); + memcpy(buf,tmp_buf,buf_len); + +@@ -81,8 +88,6 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t * + memcpy(iv, new_iv, AES_CBC_BLOCK_SIZE); + PR_Free(tmp_buf); + +-out: +- + if (secparam) + SECITEM_FreeItem(secparam, PR_TRUE); + DBG(DBG_CRYPT, DBG_log("NSS do_aes: exit")); +-- +1.8.1.4 + |