From c39f703bdd50436e74ab91b8696d61a3e751b55b Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Wed, 17 Oct 2018 18:54:07 +0200 Subject: [PATCH] strongswan: bump to 5.7.1 Signed-off-by: Stijn Tintel --- net/strongswan/Makefile | 4 +- .../patches/011-gmp-cve-2018-17540.patch | 38 ------------------- .../patches/305-minimal_dh_plugin.patch | 8 ++-- 3 files changed, 6 insertions(+), 44 deletions(-) delete mode 100644 net/strongswan/patches/011-gmp-cve-2018-17540.patch diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index d9044b7e2b..60c4fe9a4a 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan -PKG_VERSION:=5.7.0 +PKG_VERSION:=5.7.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_HASH:=d6fd0994320bc027090f6ee34964e59c42e761e7dac36cfcf1836c8cefc53c5c PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/ +PKG_HASH:=006f9c9126e2a2f4e7a874b5e1bd2abec1bbbb193c8b3b3a4c6ccd8c2d454bec PKG_LICENSE:=GPL-2.0+ PKG_MAINTAINER:=Stijn Tintel diff --git a/net/strongswan/patches/011-gmp-cve-2018-17540.patch b/net/strongswan/patches/011-gmp-cve-2018-17540.patch deleted file mode 100644 index 225a5c803e..0000000000 --- a/net/strongswan/patches/011-gmp-cve-2018-17540.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 129ab919a8c3abfc17bea776f0774e0ccf33ca09 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 25 Sep 2018 14:50:08 +0200 -Subject: [PATCH] gmp: Fix buffer overflow with very small RSA keys - -Because `keylen` is unsigned the subtraction results in an integer -underflow if the key length is < 11 bytes. - -This is only a problem when verifying signatures with a public key (for -private keys the plugin enforces a minimum modulus length) and to do so -we usually only use trusted keys. However, the x509 plugin actually -calls issued_by() on a parsed certificate to check if it is self-signed, -which is the reason this issue was found by OSS-Fuzz in the first place. -So, unfortunately, this can be triggered by sending an invalid client -cert to a peer. - -Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them") -Fixes: CVE-2018-17540 ---- - src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -index e9a83fdf49a1..a255a40abce2 100644 ---- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -@@ -301,7 +301,7 @@ bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm, - data = digestInfo; - } - -- if (data.len > keylen - 11) -+ if (keylen < 11 || data.len > keylen - 11) - { - chunk_free(&digestInfo); - DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of " --- -2.7.4 - diff --git a/net/strongswan/patches/305-minimal_dh_plugin.patch b/net/strongswan/patches/305-minimal_dh_plugin.patch index 14a1de5788..1dab1140c1 100644 --- a/net/strongswan/patches/305-minimal_dh_plugin.patch +++ b/net/strongswan/patches/305-minimal_dh_plugin.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -135,6 +135,7 @@ ARG_DISBL_SET([fips-prf], [disable +@@ -136,6 +136,7 @@ ARG_DISBL_SET([fips-prf], [disable ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.]) ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.]) ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.]) @@ -8,7 +8,7 @@ ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.]) ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.]) -@@ -1407,6 +1408,7 @@ ADD_PLUGIN([gcrypt], [s ch +@@ -1410,6 +1411,7 @@ ADD_PLUGIN([botan], [s ch ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen]) ADD_PLUGIN([fips-prf], [s charon nm cmd]) ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz]) @@ -16,7 +16,7 @@ ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd]) ADD_PLUGIN([agent], [s charon nm cmd]) ADD_PLUGIN([keychain], [s charon cmd]) -@@ -1547,6 +1549,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x +@@ -1550,6 +1552,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue) AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) @@ -24,7 +24,7 @@ AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue) AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue) AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue) -@@ -1823,6 +1826,7 @@ AC_CONFIG_FILES([ +@@ -1824,6 +1827,7 @@ AC_CONFIG_FILES([ src/libstrongswan/plugins/mgf1/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile -- 2.30.2