Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security/strongswan: fix CVE-2023-41913
This is urgent change adding official patch https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch that is identical to the change made for strongswan-5.9.12: strongswan/strongswan@96d7937 It is upto port maintainer to review and maybe upgrade the port to 5.9.12 Obtained from: strongSwan Security: CVE-2023-41913
- Loading branch information
Eugene Grosbein
authored and
Eugene Grosbein
committed
Nov 24, 2023
1 parent
df6911f
commit 4e2c038
Showing
2 changed files
with
43 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 42 additions & 0 deletions
42
security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 | ||
| From: Tobias Brunner <tobias@strongswan.org> | ||
| Date: Tue, 11 Jul 2023 12:12:25 +0200 | ||
| Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer | ||
| overflow | ||
|
|
||
| Seems this was forgotten in the referenced commit and actually could lead | ||
| to a buffer overflow. Since charon-tkm is untrusted this isn't that | ||
| much of an issue but could at least be easily exploited for a DoS attack | ||
| as DH public values are set when handling IKE_SA_INIT requests. | ||
|
|
||
| Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") | ||
| Fixes: CVE-2023-41913 | ||
| --- | ||
| src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- | ||
| 1 file changed, 6 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c | ||
| index 2b2d103d03e9..6999ad360d7e 100644 | ||
| --- src/charon-tkm/src/tkm/tkm_diffie_hellman.c | ||
| +++ src/charon-tkm/src/tkm/tkm_diffie_hellman.c | ||
| @@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, | ||
| return TRUE; | ||
| } | ||
|
|
||
| - | ||
| METHOD(key_exchange_t, set_public_key, bool, | ||
| private_tkm_diffie_hellman_t *this, chunk_t value) | ||
| { | ||
| dh_pubvalue_type othervalue; | ||
| + | ||
| + if (!key_exchange_verify_pubkey(this->group, value) || | ||
| + value.len > sizeof(othervalue.data)) | ||
| + { | ||
| + return FALSE; | ||
| + } | ||
| othervalue.size = value.len; | ||
| memcpy(&othervalue.data, value.ptr, value.len); | ||
|
|
||
| -- | ||
| 2.34.1 | ||
|
|