diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-04-26 11:47:16 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-04-26 11:47:16 +0200 |
| commit | f869be90352c43cc0db49fb712d729454eb5c6b0 (patch) | |
| tree | 1b19d93a17b477def3c9b1b4aeab957767a6a94d /debian | |
| parent | 4e331141b8693e5214b82fdd6c3c6f4fa65eafca (diff) | |
| download | vyos-strongswan-f869be90352c43cc0db49fb712d729454eb5c6b0.tar.gz vyos-strongswan-f869be90352c43cc0db49fb712d729454eb5c6b0.zip | |
Fix for CVE-2013-2944
* debian/patches:
- 0001-Check-return-value-of-ECDSA_Verify-correctly added. Fix ECDSA
signature verification when using openssl plugin (CVE-2013-2944).
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rw-r--r-- | debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch | 26 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 35 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index d5fe43d03..c68645dc7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +strongswan (4.6.4-7) UNRELEASED; urgency=high + + * debian/patches: + - 0001-Check-return-value-of-ECDSA_Verify-correctly added. Fix ECDSA + signature verification when using openssl plugin (CVE-2013-2944). + + -- Yves-Alexis Perez <corsac@debian.org> Fri, 26 Apr 2013 11:35:38 +0200 + strongswan (4.6.4-6) unstable; urgency=low * debian/rules: diff --git a/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch b/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch new file mode 100644 index 000000000..abd1f1921 --- /dev/null +++ b/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch @@ -0,0 +1,26 @@ +From 0faaab20cd9c4a519fb6269ab6c8be15d0b61864 Mon Sep 17 00:00:00 2001 +From: Martin Willi <martin@revosec.ch> +Date: Tue, 9 Apr 2013 10:56:09 +0200 +Subject: Check return value of ECDSA_Verify() correctly + +--- + src/libstrongswan/plugins/openssl/openssl_ec_public_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +index c8a45f7..38cc8be 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c ++++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +@@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this, + if (openssl_hash_chunk(nid_hash, data, &hash)) + { + valid = ECDSA_verify(0, hash.ptr, hash.len, +- signature.ptr, signature.len, this->ec); ++ signature.ptr, signature.len, this->ec) == 1; + free(hash.ptr); + } + return valid; +-- +1.7.10.4 + + diff --git a/debian/patches/series b/debian/patches/series index ff06f2f04..29c60134c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 02_add-LICENSE.patch 03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch 04-Fixed-IPv6-source-address-lookup.patch +0001-Check-return-value-of-ECDSA_Verify-correctly.patch |