strongswan: Security Advisory - strongswan - CVE-2014-2891

strongSwan before 5.1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a crafted ID_DER_ASN1_DN ID payload. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2891 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Yue Tao <Yue.Tao@windriver.com> 2014-07-28 04:17:05 -0400
committer: Joe MacDonald <joe_macdonald@mentor.com> 2014-08-05 16:23:58 -0400
commit: 18bea207810b73828451a60f2d647c91f83d1883 (patch)
tree: afb8e9b6333fdc324f100d094d209e3dbe21588d
parent: 7d9440a1e7bdf69403c55d1d21c7d1db1f07969e (diff)
download: meta-openembedded-18bea207810b73828451a60f2d647c91f83d1883.tar.gz
2 files changed, 29 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch b/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch
new file mode 100644
index 0000000000..374f2cfe69
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch
@@ -0,0 +1,28 @@
+strongswan: asn1: Properly check length in asn1_unwrap()
+Fixes CVE-2014-2891 in strongSwan releases 4.3.3-5.1.1.
+Upstream-Status: Pending
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+---
+ src/libstrongswan/asn1/asn1.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
+index d860ad9..9a5f5c5 100644
+--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
+@@ -296,7 +296,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner)
+        else
+        {       /* composite length, determine number of length octets */
+                len &= 0x7f;
+-               if (len == 0 || len > sizeof(res.len))
+               if (len == 0 || len > blob->len || len > sizeof(res.len))
+                {
+                        return ASN1_INVALID;
+                }
+-- 
+1.7.10.4
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb b/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb
index 821d965eac..cfa9abccca 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb
@@ -10,6 +10,7 @@ DEPENDS = "gmp openssl flex-native flex bison-native"
 SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
        file://fix-funtion-parameter.patch \
        file://strongswan-5.0.0-5.1.2_reject_child_sa.patch \
+        file://strongswan-4.3.3-5.1.1_asn1_unwrap.patch \
 "
 SRC_URI[md5sum] = "e3af3d493d22286be3cd794533a8966a"
author	Yue Tao <Yue.Tao@windriver.com>	2014-07-28 04:17:05 -0400
committer	Joe MacDonald <joe_macdonald@mentor.com>	2014-08-05 16:23:58 -0400
commit	18bea207810b73828451a60f2d647c91f83d1883 (patch)
tree	afb8e9b6333fdc324f100d094d209e3dbe21588d
parent	7d9440a1e7bdf69403c55d1d21c7d1db1f07969e (diff)
download	meta-openembedded-18bea207810b73828451a60f2d647c91f83d1883.tar.gz

diff --git a/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch b/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch new file mode 100644 index 0000000000..374f2cfe69 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/strongswan-4.3.3-5.1.1_asn1_unwrap.patch
@@ -0,0 +1,28 @@
		1	strongswan: asn1: Properly check length in asn1_unwrap()
		2
		3	Fixes CVE-2014-2891 in strongSwan releases 4.3.3-5.1.1.
		4
		5	Upstream-Status: Pending
		6
		7	Signed-off-by: Yue Tao <yue.tao@windriver.com>
		8
		9	---
		10	src/libstrongswan/asn1/asn1.c \| 2 +-
		11	1 file changed, 1 insertion(+), 1 deletion(-)
		12
		13	diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
		14	index d860ad9..9a5f5c5 100644
		15	--- a/src/libstrongswan/asn1/asn1.c
		16	+++ b/src/libstrongswan/asn1/asn1.c
		17	@@ -296,7 +296,7 @@ int asn1_unwrap(chunk_t blob, chunk_t inner)
		18	else
		19	{ /* composite length, determine number of length octets */
		20	len &= 0x7f;
		21	- if (len == 0 \|\| len > sizeof(res.len))
		22	+ if (len == 0 \|\| len > blob->len \|\| len > sizeof(res.len))
		23	{
		24	return ASN1_INVALID;
		25	}
		26	--
		27	1.7.10.4
		28


diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb b/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb index 821d965eac..cfa9abccca 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.1.1.bb
@@ -10,6 +10,7 @@ DEPENDS = "gmp openssl flex-native flex bison-native"
10	SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \	10	SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
11	file://fix-funtion-parameter.patch \	11	file://fix-funtion-parameter.patch \
12	file://strongswan-5.0.0-5.1.2_reject_child_sa.patch \	12	file://strongswan-5.0.0-5.1.2_reject_child_sa.patch \
		13	file://strongswan-4.3.3-5.1.1_asn1_unwrap.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "e3af3d493d22286be3cd794533a8966a"	16	SRC_URI[md5sum] = "e3af3d493d22286be3cd794533a8966a"