* [meta-networking][dunfell][PATCH v2] strongswan: Fix for CVE-2021-41990 and CVE-2021-41991
@ 2022-01-07 7:48 virendra thakur
2022-01-18 8:56 ` [OE-core] " Ranjitsinh Rathod
0 siblings, 1 reply; 3+ messages in thread
From: virendra thakur @ 2022-01-07 7:48 UTC (permalink / raw)
To: openembedded-core, raj.khem; +Cc: akuster808, Virendra Thakur, Virendra Thakur
From: Virendra Thakur <virendrak@kpit.com>
Add patch to fix CVE-2021-41990 and CVE-2021-41991
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com>
---
.../strongswan/files/CVE-2021-41990.patch | 62 +++++++++++++++++++
.../strongswan/files/CVE-2021-41991.patch | 41 ++++++++++++
.../strongswan/strongswan_5.8.4.bb | 2 +
3 files changed, 105 insertions(+)
create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
new file mode 100644
index 000000000..b7118ba1f
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
@@ -0,0 +1,62 @@
+From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 28 Sep 2021 17:52:08 +0200
+Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
+
+The `salt_len` member in the struct is of type `ssize_t` because we use
+negative values for special automatic salt lengths when generating
+signatures.
+
+Not checking this could lead to an integer overflow. The value is assigned
+to the `len` field of a chunk (`size_t`), which is further used in
+calculations to check the padding structure and (if that is passed by a
+matching crafted signature value) eventually a memcpy() that will result
+in a segmentation fault.
+
+Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
+Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
+Fixes: CVE-2021-41990
+
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41990]
+CVE: CVE-2021-41990
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
+index d89bd2c96bb5..837de8443d43 100644
+--- a/src/libstrongswan/credentials/keys/signature_params.c
++++ b/src/libstrongswan/credentials/keys/signature_params.c
+@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
+ case RSASSA_PSS_PARAMS_SALT_LEN:
+ if (object.len)
+ {
+- params->salt_len = (size_t)asn1_parse_integer_uint64(object);
++ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
++ if (params->salt_len < 0)
++ {
++ goto end;
++ }
+ }
+ break;
+ case RSASSA_PSS_PARAMS_TRAILER:
+diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+index f9bd1d314dec..3a775090883e 100644
+--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
+ int i;
+ bool success = FALSE;
+
+- if (!params)
++ if (!params || params->salt_len < 0)
+ {
+ return FALSE;
+ }
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
new file mode 100644
index 000000000..2d898fa5c
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
@@ -0,0 +1,41 @@
+From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 28 Sep 2021 19:38:22 +0200
+Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
+
+random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
+equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
+directly to that offset before applying`% CACHE_SIZE` to get an index into
+the cache array. If the random value was very high, this resulted in an
+integer overflow and a negative index value and, therefore, an out-of-bounds
+access of the array and in turn dereferencing invalid pointers when trying
+to acquire the read lock. This most likely results in a segmentation fault.
+
+Fixes: 764e8b2211ce ("reimplemented certificate cache")
+Fixes: CVE-2021-41991
+
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41991]
+CVE: CVE-2021-41991
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
+index f1579c60a9bc..ceebb3843725 100644
+--- a/src/libstrongswan/credentials/sets/cert_cache.c
++++ b/src/libstrongswan/credentials/sets/cert_cache.c
+@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
+ for (try = 0; try < REPLACE_TRIES; try++)
+ {
+ /* replace a random relation */
+- offset = random();
++ offset = random() % CACHE_SIZE;
+ for (i = 0; i < CACHE_SIZE; i++)
+ {
+ rel = &this->relations[(i + offset) % CACHE_SIZE];
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
index 8a8809243..b45b8074c 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
@@ -11,6 +11,8 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
file://fix-funtion-parameter.patch \
file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \
file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \
+ file://CVE-2021-41990.patch \
+ file://CVE-2021-41991.patch \
"
SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [meta-networking][dunfell][PATCH v2] strongswan: Fix for CVE-2021-41990 and CVE-2021-41991
2022-01-07 7:48 [meta-networking][dunfell][PATCH v2] strongswan: Fix for CVE-2021-41990 and CVE-2021-41991 virendra thakur
@ 2022-01-18 8:56 ` Ranjitsinh Rathod
2022-01-18 14:51 ` Steve Sakoman
0 siblings, 1 reply; 3+ messages in thread
From: Ranjitsinh Rathod @ 2022-01-18 8:56 UTC (permalink / raw)
To: openembedded-core, raj.khem, thakur.virendra1810
Cc: akuster808, Virendra Kumar Thakur, Virendra Kumar Thakur
[-- Attachment #1.1: Type: text/plain, Size: 9786 bytes --]
Hi Virendra,
You need to send this patch to "openembedded-devel@lists.openembedded.org".
Thanks,
Best Regards,
Ranjitsinh Rathod
Technical Leader | | KPIT Technologies Ltd.
Cellphone: +91-84606 92403
__________________________________________
KPIT<http://www.kpit.com/> | Follow us on LinkedIn<http://www.kpit.com/linkedin>
[cid:f674d8e1-5eb8-4b53-b7b8-2ef5e478309b]<https://www.kpit.com/TheNewBrand>
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of virendra thakur via lists.openembedded.org <thakur.virendra1810=gmail.com@lists.openembedded.org>
Sent: Friday, January 7, 2022 1:18 PM
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; raj.khem@gmail.com <raj.khem@gmail.com>
Cc: akuster808@gmail.com <akuster808@gmail.com>; Virendra Kumar Thakur <Virendra.Thakur@kpit.com>; Virendra Kumar Thakur <Virendra.Thakur@kpit.com>
Subject: [OE-core] [meta-networking][dunfell][PATCH v2] strongswan: Fix for CVE-2021-41990 and CVE-2021-41991
Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe.
From: Virendra Thakur <virendrak@kpit.com>
Add patch to fix CVE-2021-41990 and CVE-2021-41991
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com>
---
.../strongswan/files/CVE-2021-41990.patch | 62 +++++++++++++++++++
.../strongswan/files/CVE-2021-41991.patch | 41 ++++++++++++
.../strongswan/strongswan_5.8.4.bb | 2 +
3 files changed, 105 insertions(+)
create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
new file mode 100644
index 000000000..b7118ba1f
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
@@ -0,0 +1,62 @@
+From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 28 Sep 2021 17:52:08 +0200
+Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
+
+The `salt_len` member in the struct is of type `ssize_t` because we use
+negative values for special automatic salt lengths when generating
+signatures.
+
+Not checking this could lead to an integer overflow. The value is assigned
+to the `len` field of a chunk (`size_t`), which is further used in
+calculations to check the padding structure and (if that is passed by a
+matching crafted signature value) eventually a memcpy() that will result
+in a segmentation fault.
+
+Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
+Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
+Fixes: CVE-2021-41990
+
+Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.strongswan.org%2Fsecurity%2FCVE-2021-41990&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BWim%2Bl1Eip2jX8UPUD8QjiTYpau1BJo6SmfH5sqxSAc%3D&reserved=0]
+CVE: CVE-2021-41990
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
+index d89bd2c96bb5..837de8443d43 100644
+--- a/src/libstrongswan/credentials/keys/signature_params.c
++++ b/src/libstrongswan/credentials/keys/signature_params.c
+@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
+ case RSASSA_PSS_PARAMS_SALT_LEN:
+ if (object.len)
+ {
+- params->salt_len = (size_t)asn1_parse_integer_uint64(object);
++ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
++ if (params->salt_len < 0)
++ {
++ goto end;
++ }
+ }
+ break;
+ case RSASSA_PSS_PARAMS_TRAILER:
+diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+index f9bd1d314dec..3a775090883e 100644
+--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
+ int i;
+ bool success = FALSE;
+
+- if (!params)
++ if (!params || params->salt_len < 0)
+ {
+ return FALSE;
+ }
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
new file mode 100644
index 000000000..2d898fa5c
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
@@ -0,0 +1,41 @@
+From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 28 Sep 2021 19:38:22 +0200
+Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
+
+random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
+equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
+directly to that offset before applying`% CACHE_SIZE` to get an index into
+the cache array. If the random value was very high, this resulted in an
+integer overflow and a negative index value and, therefore, an out-of-bounds
+access of the array and in turn dereferencing invalid pointers when trying
+to acquire the read lock. This most likely results in a segmentation fault.
+
+Fixes: 764e8b2211ce ("reimplemented certificate cache")
+Fixes: CVE-2021-41991
+
+Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.strongswan.org%2Fsecurity%2FCVE-2021-41991&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lodJFhXpIZ8FOw5TzFWwbAUJSbP9SoI9sgVheFPhNa4%3D&reserved=0]
+CVE: CVE-2021-41991
+
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
+index f1579c60a9bc..ceebb3843725 100644
+--- a/src/libstrongswan/credentials/sets/cert_cache.c
++++ b/src/libstrongswan/credentials/sets/cert_cache.c
+@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
+ for (try = 0; try < REPLACE_TRIES; try++)
+ {
+ /* replace a random relation */
+- offset = random();
++ offset = random() % CACHE_SIZE;
+ for (i = 0; i < CACHE_SIZE; i++)
+ {
+ rel = &this->relations[(i + offset) % CACHE_SIZE];
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
index 8a8809243..b45b8074c 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
@@ -11,6 +11,8 @@ SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.strongswan.org%2Fstrongswan-%24&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0g32wtulMlLljp9EdbG8BCz8hIG3mr95oWRYlOcoxMk%3D&reserved=0{PV}.tar.bz2 \
file://fix-funtion-parameter.patch \
file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \
file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \
+ file://CVE-2021-41990.patch \
+ file://CVE-2021-41991.patch \
"
SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"
--
2.17.1
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #1.2: Type: text/html, Size: 19609 bytes --]
[-- Attachment #2: Outlook-wodmnzoh.png --]
[-- Type: image/png, Size: 22485 bytes --]
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [meta-networking][dunfell][PATCH v2] strongswan: Fix for CVE-2021-41990 and CVE-2021-41991
2022-01-18 8:56 ` [OE-core] " Ranjitsinh Rathod
@ 2022-01-18 14:51 ` Steve Sakoman
0 siblings, 0 replies; 3+ messages in thread
From: Steve Sakoman @ 2022-01-18 14:51 UTC (permalink / raw)
To: ranjitsinh.rathod
Cc: openembedded-core, raj.khem, thakur.virendra1810, akuster808,
Virendra Kumar Thakur
[-- Attachment #1.1: Type: text/plain, Size: 11406 bytes --]
On Mon, Jan 17, 2022 at 10:56 PM Ranjitsinh Rathod via
lists.openembedded.org <ranjitsinh.rathod=kpit.com@lists.openembedded.org>
wrote:
> Hi Virendra,
>
> You need to send this patch to "openembedded-devel@lists.openembedded.org
> ".
>
And also, since this is not a patch to oe-core, the subject should be
[oe][meta-networking]
Thanks for CVE fixes!
Steve
>
> Thanks,
>
> Best Regards,
>
> *Ranjitsinh Rathod*
> Technical Leader | | KPIT Technologies Ltd.
> Cellphone: +91-84606 92403
>
> *__________________________________________ *KPIT <http://www.kpit.com/> |
> Follow us on LinkedIn <http://www.kpit.com/linkedin>
>
> <https://www.kpit.com/TheNewBrand>
> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of virendra thakur
> via lists.openembedded.org <thakur.virendra1810=
> gmail.com@lists.openembedded.org>
> *Sent:* Friday, January 7, 2022 1:18 PM
> *To:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>; raj.khem@gmail.com <
> raj.khem@gmail.com>
> *Cc:* akuster808@gmail.com <akuster808@gmail.com>; Virendra Kumar Thakur <
> Virendra.Thakur@kpit.com>; Virendra Kumar Thakur <Virendra.Thakur@kpit.com
> >
> *Subject:* [OE-core] [meta-networking][dunfell][PATCH v2] strongswan: Fix
> for CVE-2021-41990 and CVE-2021-41991
>
> Caution: This email originated from outside of the KPIT. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> From: Virendra Thakur <virendrak@kpit.com>
>
> Add patch to fix CVE-2021-41990 and CVE-2021-41991
>
> Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com>
> ---
> .../strongswan/files/CVE-2021-41990.patch | 62 +++++++++++++++++++
> .../strongswan/files/CVE-2021-41991.patch | 41 ++++++++++++
> .../strongswan/strongswan_5.8.4.bb | 2 +
> 3 files changed, 105 insertions(+)
> create mode 100644
> meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
> create mode 100644
> meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
>
> diff --git
> a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
> b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
> new file mode 100644
> index 000000000..b7118ba1f
> --- /dev/null
> +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
> @@ -0,0 +1,62 @@
> +From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
> +From: Tobias Brunner <tobias@strongswan.org>
> +Date: Tue, 28 Sep 2021 17:52:08 +0200
> +Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
> +
> +The `salt_len` member in the struct is of type `ssize_t` because we use
> +negative values for special automatic salt lengths when generating
> +signatures.
> +
> +Not checking this could lead to an integer overflow. The value is
> assigned
> +to the `len` field of a chunk (`size_t`), which is further used in
> +calculations to check the padding structure and (if that is passed by a
> +matching crafted signature value) eventually a memcpy() that will result
> +in a segmentation fault.
> +
> +Fixes: a22316520b91 ("signature-params: Add functions to parse/build
> ASN.1 RSASSA-PSS params")
> +Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature
> verification")
> +Fixes: CVE-2021-41990
> +
> +Upstream-Status: Backport [
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.strongswan.org%2Fsecurity%2FCVE-2021-41990&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BWim%2Bl1Eip2jX8UPUD8QjiTYpau1BJo6SmfH5sqxSAc%3D&reserved=0
> ]
> +CVE: CVE-2021-41990
> +
> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> +
> +---
> + src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
> + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +-
> + 2 files changed, 6 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/libstrongswan/credentials/keys/signature_params.c
> b/src/libstrongswan/credentials/keys/signature_params.c
> +index d89bd2c96bb5..837de8443d43 100644
> +--- a/src/libstrongswan/credentials/keys/signature_params.c
> ++++ b/src/libstrongswan/credentials/keys/signature_params.c
> +@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0,
> rsa_pss_params_t *params)
> + case RSASSA_PSS_PARAMS_SALT_LEN:
> + if (object.len)
> + {
> +- params->salt_len =
> (size_t)asn1_parse_integer_uint64(object);
> ++ params->salt_len =
> (ssize_t)asn1_parse_integer_uint64(object);
> ++ if (params->salt_len < 0)
> ++ {
> ++ goto end;
> ++ }
> + }
> + break;
> + case RSASSA_PSS_PARAMS_TRAILER:
> +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
> b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
> +index f9bd1d314dec..3a775090883e 100644
> +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
> ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
> +@@ -168,7 +168,7 @@ static bool
> verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
> + int i;
> + bool success = FALSE;
> +
> +- if (!params)
> ++ if (!params || params->salt_len < 0)
> + {
> + return FALSE;
> + }
> +--
> +2.25.1
> +
> diff --git
> a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
> b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
> new file mode 100644
> index 000000000..2d898fa5c
> --- /dev/null
> +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
> @@ -0,0 +1,41 @@
> +From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
> +From: Tobias Brunner <tobias@strongswan.org>
> +Date: Tue, 28 Sep 2021 19:38:22 +0200
> +Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign
> change
> +
> +random() allocates values in the range [0, RAND_MAX], with RAND_MAX
> usually
> +equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
> +directly to that offset before applying`% CACHE_SIZE` to get an index into
> +the cache array. If the random value was very high, this resulted in an
> +integer overflow and a negative index value and, therefore, an
> out-of-bounds
> +access of the array and in turn dereferencing invalid pointers when trying
> +to acquire the read lock. This most likely results in a segmentation
> fault.
> +
> +Fixes: 764e8b2211ce ("reimplemented certificate cache")
> +Fixes: CVE-2021-41991
> +
> +Upstream-Status: Backport [
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.strongswan.org%2Fsecurity%2FCVE-2021-41991&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lodJFhXpIZ8FOw5TzFWwbAUJSbP9SoI9sgVheFPhNa4%3D&reserved=0
> ]
> +CVE: CVE-2021-41991
> +
> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> +
> +---
> + src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/libstrongswan/credentials/sets/cert_cache.c
> b/src/libstrongswan/credentials/sets/cert_cache.c
> +index f1579c60a9bc..ceebb3843725 100644
> +--- a/src/libstrongswan/credentials/sets/cert_cache.c
> ++++ b/src/libstrongswan/credentials/sets/cert_cache.c
> +@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
> + for (try = 0; try < REPLACE_TRIES; try++)
> + {
> + /* replace a random relation */
> +- offset = random();
> ++ offset = random() % CACHE_SIZE;
> + for (i = 0; i < CACHE_SIZE; i++)
> + {
> + rel = &this->relations[(i + offset) % CACHE_SIZE];
> +--
> +2.25.1
> +
> diff --git a/meta-networking/recipes-support/strongswan/
> strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/
> strongswan_5.8.4.bb
> index 8a8809243..b45b8074c 100644
> --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
> +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
> @@ -11,6 +11,8 @@ SRC_URI = "
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.strongswan.org%2Fstrongswan-%24&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0g32wtulMlLljp9EdbG8BCz8hIG3mr95oWRYlOcoxMk%3D&reserved=0{PV}.tar.bz2
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.strongswan.org%2Fstrongswan-%24&data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0g32wtulMlLljp9EdbG8BCz8hIG3mr95oWRYlOcoxMk%3D&reserved=0%7BPV%7D.tar.bz2>
> \
> file://fix-funtion-parameter.patch \
> file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \
>
> file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \
> + file://CVE-2021-41990.patch \
> + file://CVE-2021-41991.patch \
> "
>
> SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160669):
> https://lists.openembedded.org/g/openembedded-core/message/160669
> Mute This Topic: https://lists.openembedded.org/mt/88257047/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
[-- Attachment #1.2: Type: text/html, Size: 20286 bytes --]
[-- Attachment #2: Outlook-wodmnzoh.png --]
[-- Type: image/png, Size: 22485 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-01-18 14:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-07 7:48 [meta-networking][dunfell][PATCH v2] strongswan: Fix for CVE-2021-41990 and CVE-2021-41991 virendra thakur
2022-01-18 8:56 ` [OE-core] " Ranjitsinh Rathod
2022-01-18 14:51 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.