From f869be90352c43cc0db49fb712d729454eb5c6b0 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Fri, 26 Apr 2013 11:47:16 +0200 Subject: Fix for CVE-2013-2944 * debian/patches: - 0001-Check-return-value-of-ECDSA_Verify-correctly added. Fix ECDSA signature verification when using openssl plugin (CVE-2013-2944). --- debian/changelog | 8 +++++++ ...ck-return-value-of-ECDSA_Verify-correctly.patch | 26 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 35 insertions(+) create mode 100644 debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch diff --git a/debian/changelog b/debian/changelog index d5fe43d03..c68645dc7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +strongswan (4.6.4-7) UNRELEASED; urgency=high + + * debian/patches: + - 0001-Check-return-value-of-ECDSA_Verify-correctly added. Fix ECDSA + signature verification when using openssl plugin (CVE-2013-2944). + + -- Yves-Alexis Perez Fri, 26 Apr 2013 11:35:38 +0200 + strongswan (4.6.4-6) unstable; urgency=low * debian/rules: diff --git a/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch b/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch new file mode 100644 index 000000000..abd1f1921 --- /dev/null +++ b/debian/patches/0001-Check-return-value-of-ECDSA_Verify-correctly.patch @@ -0,0 +1,26 @@ +From 0faaab20cd9c4a519fb6269ab6c8be15d0b61864 Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Tue, 9 Apr 2013 10:56:09 +0200 +Subject: Check return value of ECDSA_Verify() correctly + +--- + src/libstrongswan/plugins/openssl/openssl_ec_public_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +index c8a45f7..38cc8be 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c ++++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +@@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this, + if (openssl_hash_chunk(nid_hash, data, &hash)) + { + valid = ECDSA_verify(0, hash.ptr, hash.len, +- signature.ptr, signature.len, this->ec); ++ signature.ptr, signature.len, this->ec) == 1; + free(hash.ptr); + } + return valid; +-- +1.7.10.4 + + diff --git a/debian/patches/series b/debian/patches/series index ff06f2f04..29c60134c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 02_add-LICENSE.patch 03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch 04-Fixed-IPv6-source-address-lookup.patch +0001-Check-return-value-of-ECDSA_Verify-correctly.patch -- cgit v1.2.3