* [Buildroot] [PATCH 1/1] package/strongswan: security bump to version 5.9.8
@ 2022-11-04 16:18 Fabrice Fontaine
2022-11-05 20:03 ` Thomas Petazzoni via buildroot
2022-11-14 15:40 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-11-04 16:18 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine, Jérôme Pouiller
Fixed a vulnerability related to online certificate revocation checking
that was caused because the revocation plugin used potentially untrusted
OCSP URIs and CRL distribution points in certificates. This allowed a
remote attacker to initiate IKE_SAs and send crafted certificates that
contain URIs pointing to servers under their control, which could have
lead to a denial-of-service attack. This vulnerability has been
registered as CVE-2022-40617.
Drop patch (already in version)
https://www.strongswan.org/blog/2022/10/03/strongswan-vulnerability-(cve-2022-40617).html
https://github.com/strongswan/strongswan/releases/tag/5.9.6
https://github.com/strongswan/strongswan/releases/tag/5.9.7
https://github.com/strongswan/strongswan/releases/tag/5.9.8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...gswan-plugins-wolfssl-rename-encrypt.patch | 150 ------------------
package/strongswan/strongswan.hash | 6 +-
package/strongswan/strongswan.mk | 2 +-
3 files changed, 4 insertions(+), 154 deletions(-)
delete mode 100644 package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch
diff --git a/package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch b/package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch
deleted file mode 100644
index 7b47b3278b..0000000000
--- a/package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 5900426a710eaa65a27784687775e331bcb0489b Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Mon, 8 Aug 2022 09:52:19 +0200
-Subject: [PATCH] wolfssl: Rename `encrypt` methods to avoid conflicts with
- system headers
-
-Rename `encrypt` methods to avoid the following build failure when wolfSSL
-is built with --enable-opensslextra:
-
-In file included from ../../../../src/libstrongswan/utils/utils.h:59,
- from ../../../../src/libstrongswan/library.h:101,
- from wolfssl_common.h:29,
- from wolfssl_aead.c:23:
-wolfssl_aead.c:90:16: error: conflicting types for 'encrypt'; have '_Bool(union <anonymous>, chunk_t, chunk_t, chunk_t, chunk_t *)'
- 90 | METHOD(aead_t, encrypt, bool,
- | ^~~~~~~
-../../../../src/libstrongswan/utils/utils/object.h:99:20: note: in definition of macro 'METHOD'
- 99 | static ret name(union {iface *_public; this;} \
- | ^~~~
-In file included from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/wc_port.h:573,
- from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/types.h:35,
- from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/wolfcrypt/logging.h:33,
- from /home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/wolfssl/ssl.h:35,
- from wolfssl_common.h:64,
- from wolfssl_aead.c:23:
-/home/autobuild/autobuild/instance-5/output-1/host/powerpc64le-buildroot-linux-musl/sysroot/usr/include/unistd.h:149:6: note: previous declaration of 'encrypt' with type 'void(char *, int)'
- 149 | void encrypt(char *, int);
- | ^~~~~~~
-
-Closes strongswan/strongswan#1201
-[Retrieved from:
-https://github.com/strongswan/strongswan/commit/5900426a710eaa65a27784687775e331bcb0489b]
----
- src/libstrongswan/plugins/wolfssl/wolfssl_aead.c | 4 ++--
- src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c | 4 ++--
- src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c | 4 ++--
- src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c | 4 ++--
- src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c | 4 ++--
- 5 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_aead.c b/src/libstrongswan/plugins/wolfssl/wolfssl_aead.c
-index 2ea7c94cd65..44f054916cf 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_aead.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_aead.c
-@@ -87,7 +87,7 @@ struct private_aead_t {
- encryption_algorithm_t alg;
- };
-
--METHOD(aead_t, encrypt, bool,
-+METHOD(aead_t, encrypt_, bool,
- private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
- chunk_t *encrypted)
- {
-@@ -323,7 +323,7 @@ aead_t *wolfssl_aead_create(encryption_algorithm_t algo,
-
- INIT(this,
- .public = {
-- .encrypt = _encrypt,
-+ .encrypt = _encrypt_,
- .decrypt = _decrypt,
- .get_block_size = _get_block_size,
- .get_icv_size = _get_icv_size,
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c b/src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c
-index cffe7ba2375..085a912404c 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_crypter.c
-@@ -230,7 +230,7 @@ METHOD(crypter_t, decrypt, bool,
- return success;
- }
-
--METHOD(crypter_t, encrypt, bool,
-+METHOD(crypter_t, encrypt_, bool,
- private_wolfssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
- {
- u_char *out;
-@@ -578,7 +578,7 @@ wolfssl_crypter_t *wolfssl_crypter_create(encryption_algorithm_t algo,
- INIT(this,
- .public = {
- .crypter = {
-- .encrypt = _encrypt,
-+ .encrypt = _encrypt_,
- .decrypt = _decrypt,
- .get_block_size = _get_block_size,
- .get_iv_size = _get_iv_size,
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
-index d8a1ededb06..110543762f2 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_public_key.c
-@@ -193,7 +193,7 @@ METHOD(public_key_t, verify, bool,
- }
- }
-
--METHOD(public_key_t, encrypt, bool,
-+METHOD(public_key_t, encrypt_, bool,
- private_wolfssl_ec_public_key_t *this, encryption_scheme_t scheme,
- void *params, chunk_t crypto, chunk_t *plain)
- {
-@@ -324,7 +324,7 @@ static private_wolfssl_ec_public_key_t *create_empty()
- .key = {
- .get_type = _get_type,
- .verify = _verify,
-- .encrypt = _encrypt,
-+ .encrypt = _encrypt_,
- .get_keysize = _get_keysize,
- .equals = public_key_equals,
- .get_fingerprint = _get_fingerprint,
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c
-index f423d8d5691..ea0fb3dfc77 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ed_public_key.c
-@@ -111,7 +111,7 @@ METHOD(public_key_t, verify, bool,
- return ret == 0 && res == 1;
- }
-
--METHOD(public_key_t, encrypt, bool,
-+METHOD(public_key_t, encrypt_, bool,
- private_public_key_t *this, encryption_scheme_t scheme,
- void *params, chunk_t crypto, chunk_t *plain)
- {
-@@ -368,7 +368,7 @@ static private_public_key_t *create_empty(key_type_t type)
- .public = {
- .get_type = _get_type,
- .verify = _verify,
-- .encrypt = _encrypt,
-+ .encrypt = _encrypt_,
- .get_keysize = _get_keysize,
- .equals = public_key_equals,
- .get_fingerprint = _get_fingerprint,
-diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c b/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c
-index 72df115fe90..da8899c2d8c 100644
---- a/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c
-+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_rsa_public_key.c
-@@ -216,7 +216,7 @@ METHOD(public_key_t, verify, bool,
- }
- }
-
--METHOD(public_key_t, encrypt, bool,
-+METHOD(public_key_t, encrypt_, bool,
- private_wolfssl_rsa_public_key_t *this, encryption_scheme_t scheme,
- void *params, chunk_t plain, chunk_t *crypto)
- {
-@@ -440,7 +440,7 @@ static private_wolfssl_rsa_public_key_t *create_empty()
- .key = {
- .get_type = _get_type,
- .verify = _verify,
-- .encrypt = _encrypt,
-+ .encrypt = _encrypt_,
- .equals = public_key_equals,
- .get_keysize = _get_keysize,
- .get_fingerprint = _get_fingerprint,
diff --git a/package/strongswan/strongswan.hash b/package/strongswan/strongswan.hash
index aca7ddf5cd..4822f9152f 100644
--- a/package/strongswan/strongswan.hash
+++ b/package/strongswan/strongswan.hash
@@ -1,7 +1,7 @@
-# From http://download.strongswan.org/strongswan-5.9.5.tar.bz2.md5
-md5 53005324e3cba8592f1fb958b1c2d0e5 strongswan-5.9.5.tar.bz2
+# From http://download.strongswan.org/strongswan-5.9.8.tar.bz2.md5
+md5 f46b0d3e7aed88824650d0721c887443 strongswan-5.9.8.tar.bz2
# Calculated based on the hash above
-sha256 983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd strongswan-5.9.5.tar.bz2
+sha256 d3303a43c0bd7b75a12b64855e8edcb53696f06190364f26d1533bde1f2e453c strongswan-5.9.8.tar.bz2
# Locally calculated
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
sha256 2292e21797754548dccdef9eef6aee7584e552fbd890fa914e1de8d3577d23f0 LICENSE
diff --git a/package/strongswan/strongswan.mk b/package/strongswan/strongswan.mk
index 44c20f8414..cae1433e39 100644
--- a/package/strongswan/strongswan.mk
+++ b/package/strongswan/strongswan.mk
@@ -4,7 +4,7 @@
#
################################################################################
-STRONGSWAN_VERSION = 5.9.5
+STRONGSWAN_VERSION = 5.9.8
STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2
STRONGSWAN_SITE = http://download.strongswan.org
STRONGSWAN_LICENSE = GPL-2.0+
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/strongswan: security bump to version 5.9.8
2022-11-04 16:18 [Buildroot] [PATCH 1/1] package/strongswan: security bump to version 5.9.8 Fabrice Fontaine
@ 2022-11-05 20:03 ` Thomas Petazzoni via buildroot
2022-11-14 15:40 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2022-11-05 20:03 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Jérôme Pouiller, buildroot
On Fri, 4 Nov 2022 17:18:51 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> Fixed a vulnerability related to online certificate revocation checking
> that was caused because the revocation plugin used potentially untrusted
> OCSP URIs and CRL distribution points in certificates. This allowed a
> remote attacker to initiate IKE_SAs and send crafted certificates that
> contain URIs pointing to servers under their control, which could have
> lead to a denial-of-service attack. This vulnerability has been
> registered as CVE-2022-40617.
>
> Drop patch (already in version)
>
> https://www.strongswan.org/blog/2022/10/03/strongswan-vulnerability-(cve-2022-40617).html
> https://github.com/strongswan/strongswan/releases/tag/5.9.6
> https://github.com/strongswan/strongswan/releases/tag/5.9.7
> https://github.com/strongswan/strongswan/releases/tag/5.9.8
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> ...gswan-plugins-wolfssl-rename-encrypt.patch | 150 ------------------
> package/strongswan/strongswan.hash | 6 +-
> package/strongswan/strongswan.mk | 2 +-
> 3 files changed, 4 insertions(+), 154 deletions(-)
> delete mode 100644 package/strongswan/0001-src-libstrongswan-plugins-wolfssl-rename-encrypt.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/strongswan: security bump to version 5.9.8
2022-11-04 16:18 [Buildroot] [PATCH 1/1] package/strongswan: security bump to version 5.9.8 Fabrice Fontaine
2022-11-05 20:03 ` Thomas Petazzoni via buildroot
@ 2022-11-14 15:40 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-11-14 15:40 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Jérôme Pouiller, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fixed a vulnerability related to online certificate revocation checking
> that was caused because the revocation plugin used potentially untrusted
> OCSP URIs and CRL distribution points in certificates. This allowed a
> remote attacker to initiate IKE_SAs and send crafted certificates that
> contain URIs pointing to servers under their control, which could have
> lead to a denial-of-service attack. This vulnerability has been
> registered as CVE-2022-40617.
> Drop patch (already in version)
> https://www.strongswan.org/blog/2022/10/03/strongswan-vulnerability-(cve-2022-40617).html
> https://github.com/strongswan/strongswan/releases/tag/5.9.6
> https://github.com/strongswan/strongswan/releases/tag/5.9.7
> https://github.com/strongswan/strongswan/releases/tag/5.9.8
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-14 15:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-04 16:18 [Buildroot] [PATCH 1/1] package/strongswan: security bump to version 5.9.8 Fabrice Fontaine
2022-11-05 20:03 ` Thomas Petazzoni via buildroot
2022-11-14 15:40 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.