mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
strongswan: patch CVE-2025-62291
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62291 Pick the patch that is mentioned on the vendor's blog[1], that is also referenced in the NVD report. [1]: https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
98425feebe
commit
e5a1286bf7
@@ -0,0 +1,45 @@
|
|||||||
|
From 8412dbb2dc054191b03df8e7fbc3dd8bf4c10be3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tobias Brunner <tobias@strongswan.org>
|
||||||
|
Date: Thu, 9 Oct 2025 11:33:45 +0200
|
||||||
|
Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on
|
||||||
|
the client
|
||||||
|
|
||||||
|
For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
|
||||||
|
`message_len` to become negative, which is then used in calls to malloc()
|
||||||
|
and memcpy() that both take size_t arguments, causing an integer
|
||||||
|
underflow.
|
||||||
|
|
||||||
|
For 6 and 7, the huge size requested from malloc() will fail (it exceeds
|
||||||
|
PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
|
||||||
|
fault in memcpy().
|
||||||
|
|
||||||
|
However, for 8, the allocation is 0, which succeeds. But then the -1
|
||||||
|
passed to memcpy() causes a heap-based buffer overflow (and possibly a
|
||||||
|
segmentation fault when attempting to read/write that much data).
|
||||||
|
Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
|
||||||
|
Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
|
||||||
|
overflow and causes the daemon to get aborted immediately instead.
|
||||||
|
|
||||||
|
Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
|
||||||
|
Fixes: CVE-2025-62291
|
||||||
|
|
||||||
|
CVE: CVE-2025-62291
|
||||||
|
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/c687ada6a6f68913651e355fd09f906893096b32]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||||
|
index 1bb54c8..9ad509a 100644
|
||||||
|
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||||
|
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||||
|
@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
|
||||||
|
data = in->get_data(in);
|
||||||
|
eap = (eap_mschapv2_header_t*)data.ptr;
|
||||||
|
|
||||||
|
- if (data.len < 3) /* we want at least an error code: E=e */
|
||||||
|
+ if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */
|
||||||
|
{
|
||||||
|
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
|
||||||
|
return FAILED;
|
||||||
@@ -9,7 +9,8 @@ DEPENDS = "flex-native flex bison-native"
|
|||||||
DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}"
|
DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}"
|
||||||
|
|
||||||
SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
|
SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
|
||||||
"
|
file://CVE-2025-62291.patch \
|
||||||
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
|
SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user