* [Buildroot] [PATCH] strongswan: add upstream security patches
@ 2017-05-30 13:03 Peter Korsgaard
2017-05-30 21:44 ` Thomas Petazzoni
2017-06-01 14:40 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-05-30 13:03 UTC (permalink / raw)
To: buildroot
Fixes:
CVE-2017-9022 - RSA public keys passed to the gmp plugin aren't
validated sufficiently before attempting signature verification, so that
invalid input might lead to a floating point exception and crash of the
process. A certificate with an appropriately prepared public key sent by a
peer could be used for a denial-of-service attack.
https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9022%29.html
CVE-2017-9023 - ASN.1 CHOICE types are not correctly handled by the ASN.1
parser when parsing X.509 certificates with extensions that use such types.
This could lead to infinite looping of the thread parsing a specifically
crafted certificate.
https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9023%29.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/strongswan/strongswan.hash | 3 +++
package/strongswan/strongswan.mk | 3 +++
2 files changed, 6 insertions(+)
diff --git a/package/strongswan/strongswan.hash b/package/strongswan/strongswan.hash
index 97fb1998e4..cbc4e3857a 100644
--- a/package/strongswan/strongswan.hash
+++ b/package/strongswan/strongswan.hash
@@ -2,3 +2,6 @@
md5 9d7c77b0da9b69f859624897e5e9ebbf strongswan-5.4.0.tar.bz2
# Calculated based on the hash above
sha256 f8288faaea6a9cd8a7d413c0b76b7922be5da3dfcd01fd05cb30d2c55d3bbe89 strongswan-5.4.0.tar.bz2
+# Locally calculated
+sha256 f5ba7f46cf7ae81dd81bc86f9e4cfa0c5c7c6987149b3bc9c0b8bf08598a1063 strongswan-4.4.0-5.5.2_gmp_mpz_powm_sec.patch
+sha256 03db8c7a4133e877e8992e155c046dd27ec4810d50f239abf55595f0280caf31 strongswan-5.0.0-5.5.2_asn1_choice.patch
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 2a852f22d0..1070eeaf8b 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -7,6 +7,9 @@
STRONGSWAN_VERSION = 5.4.0
STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2
STRONGSWAN_SITE = http://download.strongswan.org
+STRONGSWAN_PATCH = \
+ $(STRONGSWAN_SITE)/patches/21_gmp_mpz_powm_sec_patch/strongswan-4.4.0-5.5.2_gmp_mpz_powm_sec.patch \
+ $(STRONGSWAN_SITE)/patches/22_asn1_choice_patch/strongswan-5.0.0-5.5.2_asn1_choice.patch
STRONGSWAN_LICENSE = GPL-2.0+
STRONGSWAN_LICENSE_FILES = COPYING LICENSE
STRONGSWAN_DEPENDENCIES = host-pkgconf
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] strongswan: add upstream security patches
2017-05-30 13:03 [Buildroot] [PATCH] strongswan: add upstream security patches Peter Korsgaard
@ 2017-05-30 21:44 ` Thomas Petazzoni
2017-06-01 14:40 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2017-05-30 21:44 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 30 May 2017 15:03:24 +0200, Peter Korsgaard wrote:
> Fixes:
>
> CVE-2017-9022 - RSA public keys passed to the gmp plugin aren't
> validated sufficiently before attempting signature verification, so that
> invalid input might lead to a floating point exception and crash of the
> process. A certificate with an appropriately prepared public key sent by a
> peer could be used for a denial-of-service attack.
>
> https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9022%29.html
>
> CVE-2017-9023 - ASN.1 CHOICE types are not correctly handled by the ASN.1
> parser when parsing X.509 certificates with extensions that use such types.
> This could lead to infinite looping of the thread parsing a specifically
> crafted certificate.
>
> https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9023%29.html
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/strongswan/strongswan.hash | 3 +++
> package/strongswan/strongswan.mk | 3 +++
> 2 files changed, 6 insertions(+)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] strongswan: add upstream security patches
2017-05-30 13:03 [Buildroot] [PATCH] strongswan: add upstream security patches Peter Korsgaard
2017-05-30 21:44 ` Thomas Petazzoni
@ 2017-06-01 14:40 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-06-01 14:40 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes:
> CVE-2017-9022 - RSA public keys passed to the gmp plugin aren't
> validated sufficiently before attempting signature verification, so that
> invalid input might lead to a floating point exception and crash of the
> process. A certificate with an appropriately prepared public key sent by a
> peer could be used for a denial-of-service attack.
> https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9022%29.html
> CVE-2017-9023 - ASN.1 CHOICE types are not correctly handled by the ASN.1
> parser when parsing X.509 certificates with extensions that use such types.
> This could lead to infinite looping of the thread parsing a specifically
> crafted certificate.
> https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-%28cve-2017-9023%29.html
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-06-01 14:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-30 13:03 [Buildroot] [PATCH] strongswan: add upstream security patches Peter Korsgaard
2017-05-30 21:44 ` Thomas Petazzoni
2017-06-01 14:40 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.