2 files changed, 47 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch
new file mode 100644
index 0000000000..c0de1f1588
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch
@@ -0,0 +1,46 @@
+From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 11 Jul 2023 12:12:25 +0200
+Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
+ overflow
+Seems this was forgotten in the referenced commit and actually could lead
+to a buffer overflow.  Since charon-tkm is untrusted this isn't that
+much of an issue but could at least be easily exploited for a DoS attack
+as DH public values are set when handling IKE_SA_INIT requests.
+Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
+Fixes: CVE-2023-41913
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch]
+CVE: CVE-2023-41913
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+index 2b2d103d03e9..6999ad360d7e 100644
+--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
+        return TRUE;
+ }
+ 
+-
+ METHOD(diffie_hellman_t, set_other_public_value, bool,
+        private_tkm_diffie_hellman_t *this, chunk_t value)
+ {
+        dh_pubvalue_type othervalue;
+
+       if (!key_exchange_verify_pubkey(this->group, value) ||
+               value.len > sizeof(othervalue.data))
+       {
+               return FALSE;
+       }
+        othervalue.size = value.len;
+        memcpy(&othervalue.data, value.ptr, value.len);
+ 
+-- 
+2.34.1
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
index c11748645c..9f676d0b18 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
           file://CVE-2021-41991.patch \
           file://CVE-2021-45079.patch \
           file://CVE-2022-40617.patch \
+           file://CVE-2023-41913.patch \
           "
 SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"

diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch new file mode 100644 index 0000000000..c0de1f1588 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch
@@ -0,0 +1,46 @@
		1	From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
		2	From: Tobias Brunner <tobias@strongswan.org>
		3	Date: Tue, 11 Jul 2023 12:12:25 +0200
		4	Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
		5	overflow
		6
		7	Seems this was forgotten in the referenced commit and actually could lead
		8	to a buffer overflow. Since charon-tkm is untrusted this isn't that
		9	much of an issue but could at least be easily exploited for a DoS attack
		10	as DH public values are set when handling IKE_SA_INIT requests.
		11
		12	Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
		13	Fixes: CVE-2023-41913
		14
		15	Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch]
		16	CVE: CVE-2023-41913
		17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		18	---
		19	src/charon-tkm/src/tkm/tkm_diffie_hellman.c \| 7 ++++++-
		20	1 file changed, 6 insertions(+), 1 deletion(-)
		21
		22	diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
		23	index 2b2d103d03e9..6999ad360d7e 100644
		24	--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
		25	+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
		26	@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
		27	return TRUE;
		28	}
		29
		30	-
		31	METHOD(diffie_hellman_t, set_other_public_value, bool,
		32	private_tkm_diffie_hellman_t *this, chunk_t value)
		33	{
		34	dh_pubvalue_type othervalue;
		35	+
		36	+ if (!key_exchange_verify_pubkey(this->group, value) \|\|
		37	+ value.len > sizeof(othervalue.data))
		38	+ {
		39	+ return FALSE;
		40	+ }
		41	othervalue.size = value.len;
		42	memcpy(&othervalue.data, value.ptr, value.len);
		43
		44	--
		45	2.34.1
		46


diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb index c11748645c..9f676d0b18 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
15	file://CVE-2021-41991.patch \	15	file://CVE-2021-41991.patch \
16	file://CVE-2021-45079.patch \	16	file://CVE-2021-45079.patch \
17	file://CVE-2022-40617.patch \	17	file://CVE-2022-40617.patch \
		18	file://CVE-2023-41913.patch \
18	"	19	"
19		20
20	SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"	21	SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"