package/strongswan: add patch to fix CVE-2025-62291
https://nvd.nist.gov/vuln/detail/CVE-2025-62291 Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> [Marcus: add comment pointing to patch before _IGNORE_CVES] Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
This commit is contained in:
Waldemar Brodkorb
committed by
Marcus Hoffmann
Marcus Hoffmann
parent
8e7a54f7ef
commit
b009935e27
@@ -0,0 +1,46 @@
|
||||
From dda24815d148b91209ebf2d27e3a7acefe9b6435 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Thu, 9 Oct 2025 11:33:45 +0200
|
||||
Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on
|
||||
the client
|
||||
|
||||
For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
|
||||
`message_len` to become negative, which is then used in calls to malloc()
|
||||
and memcpy() that both take size_t arguments, causing an integer
|
||||
underflow.
|
||||
|
||||
For 6 and 7, the huge size requested from malloc() will fail (it exceeds
|
||||
PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
|
||||
fault in memcpy().
|
||||
|
||||
However, for 8, the allocation is 0, which succeeds. But then the -1
|
||||
passed to memcpy() causes a heap-based buffer overflow (and possibly a
|
||||
segmentation fault when attempting to read/write that much data).
|
||||
Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
|
||||
Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
|
||||
overflow and causes the daemon to get aborted immediately instead.
|
||||
|
||||
Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
|
||||
Fixes: CVE-2025-62291
|
||||
Upstream: https://github.com/strongswan/strongswan/commit/c687ada6a6f68913651e355fd09f906893096b32
|
||||
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
|
||||
---
|
||||
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
index 21cc95a6a360..35faad2e0bb5 100644
|
||||
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
|
||||
data = in->get_data(in);
|
||||
eap = (eap_mschapv2_header_t*)data.ptr;
|
||||
|
||||
- if (data.len < 3) /* we want at least an error code: E=e */
|
||||
+ if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */
|
||||
{
|
||||
DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
|
||||
return FAILED;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -12,6 +12,8 @@ STRONGSWAN_LICENSE_FILES = COPYING LICENSE
|
||||
STRONGSWAN_CPE_ID_VENDOR = strongswan
|
||||
STRONGSWAN_DEPENDENCIES = host-pkgconf
|
||||
STRONGSWAN_INSTALL_STAGING = YES
|
||||
# 0001-eap_mschapv2_failure_request_len.patch
|
||||
STRONGSWAN_IGNORE_CVES += CVE-2025-62291
|
||||
STRONGSWAN_CONF_OPTS += \
|
||||
--without-lib-prefix \
|
||||
--enable-led \
|
||||
|
||||
Reference in New Issue
Block a user