[Buildroot] [PATCH 1/1] package/strongswan: security bump to version 5.9.8

* [Buildroot] [PATCH 1/1] package/strongswan: security bump to version 5.9.8
@ 2022-11-04 16:18 Fabrice Fontaine
  2022-11-05 20:03 ` Thomas Petazzoni via buildroot
  2022-11-14 15:40 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-11-04 16:18 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine, Jérôme Pouiller

Fixed a vulnerability related to online certificate revocation checking
that was caused because the revocation plugin used potentially untrusted
OCSP URIs and CRL distribution points in certificates. This allowed a
remote attacker to initiate IKE_SAs and send crafted certificates that
contain URIs pointing to servers under their control, which could have
lead to a denial-of-service attack. This vulnerability has been
registered as CVE-2022-40617.

Drop patch (already in version)

https://www.strongswan.org/blog/2022/10/03/strongswan-vulnerability-(cve-2022-40617).html
https://github.com/strongswan/strongswan/releases/tag/5.9.6
https://github.com/strongswan/strongswan/releases/tag/5.9.7
https://github.com/strongswan/strongswan/releases/tag/5.9.8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...gswan-plugins-wolfssl-rename-encrypt.patch | 150 ------------------
 package/strongswan/strongswan.hash            |   6 +-
 package/strongswan/strongswan.mk              |   2 +-
 3 files changed, 4 insertions(+), 154 deletions(-)
 delete mode 100644 package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch

diff --git a/package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch b/package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch
deleted file mode 100644
index 7b47b3278b..0000000000
--- a/package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 5900426a710eaa65a27784687775e331bcb0489b Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Mon, 8 Aug 2022 09:52:19 +0200
-Subject: [PATCH] wolfssl: Rename `encrypt` methods to avoid conflicts with
- system headers
-
-Rename `encrypt` methods to avoid the following build failure when wolfSSL
-is built with --enable-opensslextra:
-
-In file included from ../../../../src/libstrongswan/utils/utils.h:59,
-                 from ../../../../src/libstrongswan/library.h:101,
-                 from wolfssl_common.h:29,
-                 from wolfssl_aead.c:23:
-wolfssl_aead.c:90:16: error: conflicting types for 'encrypt'; have '_Bool(union <anonymous>,  chunk_t,  chunk_t,  chunk_t,  chunk_t *)'
-   90 | METHOD(aead_t, encrypt, bool,
-      |                ^~~~~~~
-../../../../src/libstrongswan/utils/utils/object.h:99:20: note: in definition of macro 'METHOD'
-   99 |         static ret name(union {iface *_public; this;} \
-      |                    ^~~~
-In file included from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/wc_port.h:573,
-                 from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/types.h:35,
-                 from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/logging.h:33,
-                 from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/ssl.h:35,
-                 from wolfssl_common.h:64,
-                 from wolfssl_aead.c:23:
-/home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/unistd.h:149:6: note: previous declaration of 'encrypt' with type 'void(char *, int)'
-  149 | void encrypt(char *, int);
-      |      ^~~~~~~
-
-Closes strongswan/strongswan#1201
-[Retrieved from:
-https://github.com/strongswan/strongswan/commit/5900426a710eaa65a27784687775e331bcb0489b]
----
- src/libstrongswan/plugins/wolfssl/wolfssl_aead.c           | 4 ++--
- src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c        | 4 ++--
- src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c  | 4 ++--
- src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c  | 4 ++--
- src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c | 4 ++--
- 5 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_aead.c b/src/libstrongswan/plugins/wolfssl/wolfssl_aead.c
-index 2ea7c94cd65..44f054916cf 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_aead.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_aead.c
-@@ -87,7 +87,7 @@ struct private_aead_t {
- 	encryption_algorithm_t alg;
- };
- 
--METHOD(aead_t, encrypt, bool,
-+METHOD(aead_t, encrypt_, bool,
- 	private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
- 	chunk_t *encrypted)
- {
-@@ -323,7 +323,7 @@ aead_t *wolfssl_aead_create(encryption_algorithm_t algo,
- 
- 	INIT(this,
- 		.public = {
--			.encrypt = _encrypt,
-+			.encrypt = _encrypt_,
- 			.decrypt = _decrypt,
- 			.get_block_size = _get_block_size,
- 			.get_icv_size = _get_icv_size,
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c b/src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c
-index cffe7ba2375..085a912404c 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c
-@@ -230,7 +230,7 @@ METHOD(crypter_t, decrypt, bool,
- 	return success;
- }
- 
--METHOD(crypter_t, encrypt, bool,
-+METHOD(crypter_t, encrypt_, bool,
- 	private_wolfssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
- {
- 	u_char *out;
-@@ -578,7 +578,7 @@ wolfssl_crypter_t *wolfssl_crypter_create(encryption_algorithm_t algo,
- 	INIT(this,
- 		.public = {
- 			.crypter = {
--				.encrypt = _encrypt,
-+				.encrypt = _encrypt_,
- 				.decrypt = _decrypt,
- 				.get_block_size = _get_block_size,
- 				.get_iv_size = _get_iv_size,
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
-index d8a1ededb06..110543762f2 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
-@@ -193,7 +193,7 @@ METHOD(public_key_t, verify, bool,
- 	}
- }
- 
--METHOD(public_key_t, encrypt, bool,
-+METHOD(public_key_t, encrypt_, bool,
- 	private_wolfssl_ec_public_key_t *this, encryption_scheme_t scheme,
- 	void *params, chunk_t crypto, chunk_t *plain)
- {
-@@ -324,7 +324,7 @@ static private_wolfssl_ec_public_key_t *create_empty()
- 			.key = {
- 				.get_type = _get_type,
- 				.verify = _verify,
--				.encrypt = _encrypt,
-+				.encrypt = _encrypt_,
- 				.get_keysize = _get_keysize,
- 				.equals = public_key_equals,
- 				.get_fingerprint = _get_fingerprint,
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c
-index f423d8d5691..ea0fb3dfc77 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c
-@@ -111,7 +111,7 @@ METHOD(public_key_t, verify, bool,
- 	return ret == 0 && res == 1;
- }
- 
--METHOD(public_key_t, encrypt, bool,
-+METHOD(public_key_t, encrypt_, bool,
- 	private_public_key_t *this, encryption_scheme_t scheme,
- 	void *params, chunk_t crypto, chunk_t *plain)
- {
-@@ -368,7 +368,7 @@ static private_public_key_t *create_empty(key_type_t type)
- 		.public = {
- 			.get_type = _get_type,
- 			.verify = _verify,
--			.encrypt = _encrypt,
-+			.encrypt = _encrypt_,
- 			.get_keysize = _get_keysize,
- 			.equals = public_key_equals,
- 			.get_fingerprint = _get_fingerprint,
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c
-index 72df115fe90..da8899c2d8c 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c
-@@ -216,7 +216,7 @@ METHOD(public_key_t, verify, bool,
- 	}
- }
- 
--METHOD(public_key_t, encrypt, bool,
-+METHOD(public_key_t, encrypt_, bool,
- 	private_wolfssl_rsa_public_key_t *this, encryption_scheme_t scheme,
- 	void *params, chunk_t plain, chunk_t *crypto)
- {
-@@ -440,7 +440,7 @@ static private_wolfssl_rsa_public_key_t *create_empty()
- 			.key = {
- 				.get_type = _get_type,
- 				.verify = _verify,
--				.encrypt = _encrypt,
-+				.encrypt = _encrypt_,
- 				.equals = public_key_equals,
- 				.get_keysize = _get_keysize,
- 				.get_fingerprint = _get_fingerprint,
diff --git a/package/strongswan/strongswan.hash b/package/strongswan/strongswan.hash
index aca7ddf5cd..4822f9152f 100644
--- a/package/strongswan/strongswan.hash
+++ b/package/strongswan/strongswan.hash
@@ -1,7 +1,7 @@
-# From http://download.strongswan.org/strongswan-5.9.5.tar.bz2.md5
-md5  53005324e3cba8592f1fb958b1c2d0e5  strongswan-5.9.5.tar.bz2
+# From http://download.strongswan.org/strongswan-5.9.8.tar.bz2.md5
+md5  f46b0d3e7aed88824650d0721c887443  strongswan-5.9.8.tar.bz2
 # Calculated based on the hash above
-sha256  983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd  strongswan-5.9.5.tar.bz2
+sha256  d3303a43c0bd7b75a12b64855e8edcb53696f06190364f26d1533bde1f2e453c  strongswan-5.9.8.tar.bz2
 # Locally calculated
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
 sha256  2292e21797754548dccdef9eef6aee7584e552fbd890fa914e1de8d3577d23f0  LICENSE
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 44c20f8414..cae1433e39 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-STRONGSWAN_VERSION = 5.9.5
+STRONGSWAN_VERSION = 5.9.8
 STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2
 STRONGSWAN_SITE = http://download.strongswan.org
 STRONGSWAN_LICENSE = GPL-2.0+
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread