diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-23 18:02:14 +0100 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-01-26 10:04:45 +0530 |
| commit | e5a1286bf77165425b13ae6caf6fef46052edc4e (patch) | |
| tree | 4bedf4782c9a04940a9cb15169233c35773f153d /meta-networking | |
| parent | 98425feebe5ee7b2f82a7e1405f6f6a9fce5a3cf (diff) | |
| download | meta-openembedded-e5a1286bf77165425b13ae6caf6fef46052edc4e.tar.gz | |
strongswan: patch CVE-2025-62291
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62291
Pick the patch that is mentioned on the vendor's blog[1], that
is also referenced in the NVD report.
[1]: https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
| -rw-r--r-- | meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch | 45 | ||||
| -rw-r--r-- | meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb | 3 |
2 files changed, 47 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch b/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch new file mode 100644 index 0000000000..df5568235e --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch | |||
| @@ -0,0 +1,45 @@ | |||
| 1 | From 8412dbb2dc054191b03df8e7fbc3dd8bf4c10be3 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Tobias Brunner <tobias@strongswan.org> | ||
| 3 | Date: Thu, 9 Oct 2025 11:33:45 +0200 | ||
| 4 | Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on | ||
| 5 | the client | ||
| 6 | |||
| 7 | For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes | ||
| 8 | `message_len` to become negative, which is then used in calls to malloc() | ||
| 9 | and memcpy() that both take size_t arguments, causing an integer | ||
| 10 | underflow. | ||
| 11 | |||
| 12 | For 6 and 7, the huge size requested from malloc() will fail (it exceeds | ||
| 13 | PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation | ||
| 14 | fault in memcpy(). | ||
| 15 | |||
| 16 | However, for 8, the allocation is 0, which succeeds. But then the -1 | ||
| 17 | passed to memcpy() causes a heap-based buffer overflow (and possibly a | ||
| 18 | segmentation fault when attempting to read/write that much data). | ||
| 19 | Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g. | ||
| 20 | Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer | ||
| 21 | overflow and causes the daemon to get aborted immediately instead. | ||
| 22 | |||
| 23 | Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2") | ||
| 24 | Fixes: CVE-2025-62291 | ||
| 25 | |||
| 26 | CVE: CVE-2025-62291 | ||
| 27 | Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/c687ada6a6f68913651e355fd09f906893096b32] | ||
| 28 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 29 | --- | ||
| 30 | src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +- | ||
| 31 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 32 | |||
| 33 | diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | ||
| 34 | index 1bb54c8..9ad509a 100644 | ||
| 35 | --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | ||
| 36 | +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | ||
| 37 | @@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, | ||
| 38 | data = in->get_data(in); | ||
| 39 | eap = (eap_mschapv2_header_t*)data.ptr; | ||
| 40 | |||
| 41 | - if (data.len < 3) /* we want at least an error code: E=e */ | ||
| 42 | + if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */ | ||
| 43 | { | ||
| 44 | DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); | ||
| 45 | return FAILED; | ||
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index 2e2da8274b..4592381a36 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb | |||
| @@ -9,7 +9,8 @@ DEPENDS = "flex-native flex bison-native" | |||
| 9 | DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" | 9 | DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" |
| 10 | 10 | ||
| 11 | SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ | 11 | SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ |
| 12 | " | 12 | file://CVE-2025-62291.patch \ |
| 13 | " | ||
| 13 | 14 | ||
| 14 | SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" | 15 | SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" |
| 15 | 16 | ||
