Fix CVE-2015-8023

* Set urgency=high for security fix.
* debian/patches:
  - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when
  using EAP MSCHAPv2.

2 files changed, 36 insertions, 0 deletions

diff --git a/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch b/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch
new file mode 100644
index 000000000..0ee759ce4
--- /dev/null
+++ b/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch
@@ -0,0 +1,35 @@
+From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 29 Oct 2015 11:18:27 +0100
+Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
+ established
+
+An MSK is only established if the client successfully authenticated
+itself and only then must we accept an MSCHAPV2_SUCCESS message.
+
+Fixes CVE-2015-8023
+---
+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+index f7f39f9841d2..931e3c41dde4 100644
+--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
+ 		}
+ 		case MSCHAPV2_SUCCESS:
+ 		{
+-			return SUCCESS;
++			if (this->msk.ptr)
++			{
++				return SUCCESS;
++			}
++			break;
+ 		}
+ 		case MSCHAPV2_FAILURE:
+ 		{
+-- 
+1.9.1
+
+

diff --git a/debian/patches/series b/debian/patches/series
index 791c61c82..aec9df656 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
 04_disable-libtls-tests.patch
 0001-socket-default-Refactor-setting-source-address-when-.patch
 0001-socket-dynamic-Refactor-setting-source-address-when-.patch
+CVE-2015-8023_eap_mschapv2_state.patch