(mirror of https://github.com/vyos/vyos-strongswan.git) https://git.amelek.net/vyos/vyos-strongswan.git/atom?h=1.3.4 2021-11-24T15:17:39+00:00 2021-11-24T15:17:39+00:00 Tobias Brunner tobias@strongswan.org 2021-09-28T17:38:22+00:00 urn:sha1:7d5961bab37fe964170fc020b24e6e71bf25cc19 random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added directly to that offset before applying`% CACHE_SIZE` to get an index into the cache array. If the random value was very high, this resulted in an integer overflow and a negative index value and, therefore, an out-of-bounds access of the array and in turn dereferencing invalid pointers when trying to acquire the read lock. This most likely results in a segmentation fault. Fixes: 764e8b2211ce ("reimplemented certificate cache") Fixes: CVE-2021-41991 Signed-off-by: Daniil Baturin <daniil@vyos.io> 2021-11-24T12:08:50+00:00 Daniil Baturin daniil@vyos.io 2021-11-24T12:08:09+00:00 urn:sha1:b22f839a05d88cb35dfa8dfc9fa814e6e8dfe67c 2021-11-24T01:06:33+00:00 Tobias Brunner tobias@strongswan.org 2021-09-28T15:52:08+00:00 urn:sha1:5de6fd137e48151e58954f6c0b8866d258fff14b The `salt_len` member in the struct is of type `ssize_t` because we use negative values for special automatic salt lengths when generating signatures. Not checking this could lead to an integer overflow. The value is assigned to the `len` field of a chunk (`size_t`), which is further used in calculations to check the padding structure and (if that is passed by a matching crafted signature value) eventually a memcpy() that will result in a segmentation fault. Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") Fixes: CVE-2021-41990 Signed-off-by: Daniil Baturin <daniil@baturin.org> 2021-04-04T15:36:58+00:00 Christian Poessinger christian@poessinger.com 2021-04-04T15:36:58+00:00 urn:sha1:e10cfecc81ec1fe0c2be4ad958467de77b3f7bb7 2020-06-24T16:24:59+00:00 Christian Poessinger christian@poessinger.com 2020-06-24T16:24:59+00:00 urn:sha1:f55c1c12f8b45f6555ae93daf1cc2d133bf6fb01 2020-06-11T23:00:19+00:00 Christian Poessinger christian@poessinger.com 2020-06-11T22:59:57+00:00 urn:sha1:1014d39807a14d266d35db5a94eae2d26e6ea336 Patches are not active. To activate bth patches add their corresponding file name to debian/patches/series. From FRR docs: nhrpd needs tight integration with IKE daemon for various reasons. Currently only strongSwan is supported as IKE daemon. nhrpd connects to strongSwan using VICI protocol based on UNIX socket (hardcoded now as /var/run/charon.vici). strongSwan currently needs few patches applied. Please check out bot git - https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras-release - https://git.alpinelinux.org/user/tteras/strongswan/log/?h=tteras repositories for the patches. 2020-03-21T17:27:30+00:00 Christian Poessinger christian@poessinger.com 2020-03-21T17:27:30+00:00 urn:sha1:fd286871448acc36f8d727c07405ba8ff91d1d2b 2019-12-27T15:02:27+00:00 Christian Poessinger christian@poessinger.com 2019-12-27T15:02:27+00:00 urn:sha1:b73af93684e4ac46fd8c2051345eb015e55f6daf 2019-12-18T15:29:19+00:00 Christian Poessinger christian@poessinger.com 2019-12-18T11:37:05+00:00 urn:sha1:60c32fc3ea95d37205ac0e73b1ba1396ccf298c3 2019-10-09T20:35:03+00:00 Christian Poessinger christian@poessinger.com 2019-10-09T20:35:03+00:00 urn:sha1:83a8545596f8e6fe627f829047d5156f4f534c9b