diff options
Diffstat (limited to 'debian/patches')
| -rw-r--r-- | debian/patches/01_fix-manpages.patch | 41 | ||||
| -rw-r--r-- | debian/patches/02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b.patch | 77 | ||||
| -rw-r--r-- | debian/patches/03_unit-tests-Fix-chunk-clear-armel.patch | 19 | ||||
| -rw-r--r-- | debian/patches/04_cve-2014-2338.patch | 36 | ||||
| -rw-r--r-- | debian/patches/series | 4 |
5 files changed, 177 insertions, 0 deletions
diff --git a/debian/patches/01_fix-manpages.patch b/debian/patches/01_fix-manpages.patch new file mode 100644 index 000000000..656882939 --- /dev/null +++ b/debian/patches/01_fix-manpages.patch @@ -0,0 +1,41 @@ +--- a/src/_updown/_updown.8 ++++ b/src/_updown/_updown.8 +@@ -1,6 +1,6 @@ + .TH _UPDOWN 8 "27 Apr 2006" + .SH NAME +-ipsec _updown \- route and firewall manipulation script ++ipsec_updown \- route and firewall manipulation script + .SH SYNOPSIS + .I _updown + is invoked by pluto when it has brought up a new connection. This script +--- a/src/_updown_espmark/_updown_espmark.8 ++++ b/src/_updown_espmark/_updown_espmark.8 +@@ -1,6 +1,6 @@ + .TH _UPDOWN_ESPMARK 8 "7 Apr 2005" + .SH NAME +-ipsec _updown_espmark \- manages routes and firewall rules ++ipsec_updown_espmark \- manages routes and firewall rules + .SH SYNOPSIS + .I _updown_espmark + is invoked by pluto when it has brought up a new connection. This script +--- a/src/openac/openac.8 ++++ b/src/openac/openac.8 +@@ -1,6 +1,6 @@ + .TH IPSEC_OPENAC 8 "22 September 2007" + .SH NAME +-ipsec openac \- Generation of X.509 attribute certificates ++ipsec_openac \- Generation of X.509 attribute certificates + .SH SYNOPSIS + .B ipsec + .B openac +--- a/src/scepclient/scepclient.8 ++++ b/src/scepclient/scepclient.8 +@@ -1,7 +1,7 @@ + .\" + .TH "IPSEC_SCEPCLIENT" "8" "2012-05-11" "strongSwan" "" + .SH "NAME" +-ipsec scepclient \- Client for the SCEP protocol ++ipsec_scepclient \- Client for the SCEP protocol + .SH "SYNOPSIS" + .B ipsec scepclient [argument ...] + .sp diff --git a/debian/patches/02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b.patch b/debian/patches/02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b.patch new file mode 100644 index 000000000..beeb9e655 --- /dev/null +++ b/debian/patches/02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b.patch @@ -0,0 +1,77 @@ +From 0462304dbb5a9eba56a782d5da1f9ab71571ee40 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 27 Mar 2014 15:35:32 +0100 +Subject: [PATCH] unit-tests: Fix filtered enumerator tests on 64-bit + big-endian platforms + +In case of sizeof(void*) == 8 and sizeof(int) == 4 on big-endian hosts +the tests failed as the actual integer value got cut off. +--- + src/libstrongswan/tests/suites/test_enumerator.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/libstrongswan/tests/suites/test_enumerator.c b/src/libstrongswan/tests/suites/test_enumerator.c +index b5dde46..9bd6d24 100644 +--- a/src/libstrongswan/tests/suites/test_enumerator.c ++++ b/src/libstrongswan/tests/suites/test_enumerator.c +@@ -104,10 +104,10 @@ static void destroy_data(void *data) + * filtered test + */ + +-static bool filter(void *data, int *v, int *vo, int *w, int *wo, +- int *x, int *xo, int *y, int *yo, int *z, int *zo) ++static bool filter(int *data, int **v, int *vo, int **w, int *wo, ++ int **x, int *xo, int **y, int *yo, int **z, int *zo) + { +- int val = *v; ++ int val = **v; + + *vo = val++; + *wo = val++; +@@ -118,21 +118,21 @@ static bool filter(void *data, int *v, int *vo, int *w, int *wo, + return TRUE; + } + +-static bool filter_odd(void *data, int *item, int *out) ++static bool filter_odd(void *data, int **item, int *out) + { + fail_if(data != (void*)101, "data does not match '101' in filter function"); +- *out = *item; +- return *item % 2 == 0; ++ *out = **item; ++ return **item % 2 == 0; + } + + START_TEST(test_filtered) + { +- int round, v, w, x, y, z; ++ int data[5] = {1,2,3,4,5}, round, v, w, x, y, z; + linked_list_t *list; + enumerator_t *enumerator; + +- list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4, +- (void*)5, NULL); ++ list = linked_list_create_with_items(&data[0], &data[1], &data[2], &data[3], ++ &data[4], NULL); + + round = 1; + enumerator = enumerator_create_filter(list->create_enumerator(list), +@@ -155,12 +155,12 @@ END_TEST + + START_TEST(test_filtered_filter) + { +- int count, x; ++ int data[5] = {1,2,3,4,5}, count, x; + linked_list_t *list; + enumerator_t *enumerator; + +- list = linked_list_create_with_items((void*)1, (void*)2, (void*)3, (void*)4, +- (void*)5, NULL); ++ list = linked_list_create_with_items(&data[0], &data[1], &data[2], &data[3], ++ &data[4], NULL); + + count = 0; + /* should also work without destructor, so set this manually */ +-- +1.9.1 + diff --git a/debian/patches/03_unit-tests-Fix-chunk-clear-armel.patch b/debian/patches/03_unit-tests-Fix-chunk-clear-armel.patch new file mode 100644 index 000000000..eb92fac71 --- /dev/null +++ b/debian/patches/03_unit-tests-Fix-chunk-clear-armel.patch @@ -0,0 +1,19 @@ +--- a/src/libstrongswan/tests/suites/test_chunk.c ++++ b/src/libstrongswan/tests/suites/test_chunk.c +@@ -117,10 +117,13 @@ START_TEST(test_chunk_clear) + } + chunk_clear(&chunk); + /* check memory area of freed chunk. We can't use ck_assert() for this +- * test directly, as it might allocate data at the freed area. */ +- for (i = 0; i < 64; i++) ++ * test directly, as it might allocate data at the freed area. comparing ++ * two bytes at once reduces the chances of conflicts if memory got ++ * overwritten already */ ++ for (i = 0; i < 64; i += 2) + { +- if (ptr[i] != 0 && ptr[i] == i) ++ if (ptr[i] != 0 && ptr[i] == i && ++ ptr[i+1] != 0 && ptr[i+1] == i+1) + { + cleared = FALSE; + break; diff --git a/debian/patches/04_cve-2014-2338.patch b/debian/patches/04_cve-2014-2338.patch new file mode 100644 index 000000000..688245ce8 --- /dev/null +++ b/debian/patches/04_cve-2014-2338.patch @@ -0,0 +1,36 @@ +From b980ba7757dcfedd756aa055b3271ea58cf85aa6 Mon Sep 17 00:00:00 2001 +From: Martin Willi <martin@revosec.ch> +Date: Thu, 20 Feb 2014 16:08:43 +0100 +Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished + IKE_SAs + +Prevents a responder peer to trick us into established state by starting +IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. + +Fixes CVE-2014-2338 for 5.x versions of strongSwan. +--- + src/libcharon/sa/ikev2/task_manager_v2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c +index ac3be90..a5252ab 100644 +--- a/src/libcharon/sa/ikev2/task_manager_v2.c ++++ b/src/libcharon/sa/ikev2/task_manager_v2.c +@@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this, + case CREATE_CHILD_SA: + { /* FIXME: we should prevent this on mediation connections */ + bool notify_found = FALSE, ts_found = FALSE; ++ ++ if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || ++ this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING) ++ { ++ DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " ++ "unestablished IKE_SA, rejected"); ++ return FAILED; ++ } ++ + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { +-- +1.8.1.2 diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000000000..694043aa7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,4 @@ +01_fix-manpages.patch +02_unit-tests-Fix-filtered-enumerator-tests-on-64-bit-b.patch +03_unit-tests-Fix-chunk-clear-armel.patch +04_cve-2014-2338.patch |