From 28e10f3436f19ea3358597ffde295c4b686bdf24 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 16 Nov 2015 12:35:03 +0100 Subject: Fix CVE-2015-8023 * Set urgency=high for security fix. * debian/patches: - CVE-2015-8023_eap_mschapv2_state added, fix authentication bypass when using EAP MSCHAPv2. --- .../patches/CVE-2015-8023_eap_mschapv2_state.patch | 35 ++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 36 insertions(+) create mode 100644 debian/patches/CVE-2015-8023_eap_mschapv2_state.patch (limited to 'debian/patches') diff --git a/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch b/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch new file mode 100644 index 000000000..0ee759ce4 --- /dev/null +++ b/debian/patches/CVE-2015-8023_eap_mschapv2_state.patch @@ -0,0 +1,35 @@ +From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 29 Oct 2015 11:18:27 +0100 +Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was + established + +An MSK is only established if the client successfully authenticated +itself and only then must we accept an MSCHAPV2_SUCCESS message. + +Fixes CVE-2015-8023 +--- + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +index f7f39f9841d2..931e3c41dde4 100644 +--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c ++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t, + } + case MSCHAPV2_SUCCESS: + { +- return SUCCESS; ++ if (this->msk.ptr) ++ { ++ return SUCCESS; ++ } ++ break; + } + case MSCHAPV2_FAILURE: + { +-- +1.9.1 + + diff --git a/debian/patches/series b/debian/patches/series index 791c61c82..aec9df656 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 04_disable-libtls-tests.patch 0001-socket-default-Refactor-setting-source-address-when-.patch 0001-socket-dynamic-Refactor-setting-source-address-when-.patch +CVE-2015-8023_eap_mschapv2_state.patch -- cgit v1.2.3