From nobody Sat Mar 04 06:32:45 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PTFQ610ZFz3vdTs; Sat, 4 Mar 2023 06:32:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PTFQ60TQNz3kwx; Sat, 4 Mar 2023 06:32:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677911566; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zboN6BScQY/em3u/xuXTGUVHggFsk0lDg88dg0uoGU8=; b=o/aSyn+5btZiZiiSCRhiN8TOUaBbNB4xkU9QQJILx74gipF+NCsZYGC+zbZDkQ0YStlPv1 Tw3I7sqgGkKxxWf9vu/ardqYEnDASf2jnXKmXnkhPXKuE1Se5pmF77jAl+aNU5du1sRP6o dRx9oejdECzO1u4cvvlbtJD1pkuuhvDGj8Y8N8kQNciW1mClblzCjcJTN4SYCTVuwsjhSc 7xHc6/SODXk4SIDTSfkhHssqg6HH921x1WPo6mKWtncSSTJ5RZzWAL6mtsnn6IKRbRbjq5 qnWAyLiFIL8DH035iR204pcsKis86jrJ8+rl9LYn9R7NcZBo4mIGTOWXAQ3cFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677911566; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zboN6BScQY/em3u/xuXTGUVHggFsk0lDg88dg0uoGU8=; b=U0RQVsKeWlfKCu6wkMXIDeJ70PxcoA2cr5nhcYOGm5SzF/9EqZKftuMXHxVg6sqHBnARYM NyR1cK46ItoqjfXFeJp8HTDUUwxHrhfv2emao0yCF+Jmf0vzblnXK7KQGWpMLAFgc14yW9 T1RsLROxwlZrP5oZxrLGqDgYtTe4FJ4iSQkDyHpMXMDE0Ehcd2A6BHY9RzHh3ntmhzWVIT KSohn1oRZE/n3eYGX09epIciDxbOoYdX0rHdqE6BQpyUXoKrCPQHqkI9cpE6WeyCWTFF/E ud2PR9swq62fJIP52GtLrlHSpK5Tqn/teUFXEVC70LZRMu56Jqxt/E+tGLYjRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677911566; a=rsa-sha256; cv=none; b=ElGmSaO8qBG+il0qplaMiYkv28DjP+dW7p9lkTNlB3Ik/3VKl4tCFFyvS2PYpB43rc1sqA MsIhjkmicqRfar8Tobk9wUl020fkWn5Btx70nc98rRoPXC04V/ff3qRpxZfzhTjHp4joCd eF5mPESUc7gD1nwXkwxup6b+TyNDPpwnvRo2E/gLmba3YDlh4ftSpuanhIgsTHbMgtMQcX F3Su1v00mw8+5jV4lMT+zWKBW2VW0ijIvaqw2Haz8sMjO+uaKR396NjJ9TFf6AHNi1kCaq gEQCxyd8bmP7rz/nh1yryT7AceCVYTGB3H8LYSK43VITb1VHOjdJ3ejfrAqJ9Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PTFQ56fwzzV5T; Sat, 4 Mar 2023 06:32:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 3246WjEr016558; Sat, 4 Mar 2023 06:32:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 3246WjBW016557; Sat, 4 Mar 2023 06:32:45 GMT (envelope-from git) Date: Sat, 4 Mar 2023 06:32:45 GMT Message-Id: <202303040632.3246WjBW016557@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Eugene Grosbein Subject: git: c703ad728b40 - main - security/strongswan: fix CVE-2023-26463 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: eugen X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c703ad728b40f1b323b3b388745f03e2c279ccfb Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by eugen: URL: https://cgit.FreeBSD.org/ports/commit/?id=c703ad728b40f1b323b3b388745f03e2c279ccfb commit c703ad728b40f1b323b3b388745f03e2c279ccfb Author: Eugene Grosbein AuthorDate: 2023-03-04 06:26:38 +0000 Commit: Eugene Grosbein CommitDate: 2023-03-04 06:31:16 +0000 security/strongswan: fix CVE-2023-26463 This is urgent change adding official patch https://download.strongswan.org/security/CVE-2023-26463/strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch It is upto port maintainer to review and maybe upgrade the port to 5.9.10. Obtained from: strongSwan Security: CVE-2023-26463 --- security/strongswan/Makefile | 2 +- .../strongswan/files/patch-src_libtls_tls_server.c | 48 ++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile index 0654cc82aa70..0870d891ebce 100644 --- a/security/strongswan/Makefile +++ b/security/strongswan/Makefile @@ -1,6 +1,6 @@ PORTNAME= strongswan DISTVERSION= 5.9.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security net-vpn MASTER_SITES= https://download.strongswan.org/ \ https://download2.strongswan.org/ diff --git a/security/strongswan/files/patch-src_libtls_tls_server.c b/security/strongswan/files/patch-src_libtls_tls_server.c new file mode 100644 index 000000000000..5bd53faab6fb --- /dev/null +++ b/security/strongswan/files/patch-src_libtls_tls_server.c @@ -0,0 +1,48 @@ +From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 17 Feb 2023 15:07:20 +0100 +Subject: [PATCH] libtls: Fix authentication bypass and expired pointer + dereference + +`public` is returned, but previously only if a trusted key was found. +We obviously don't want to return untrusted keys. However, since the +reference is released after determining the key type, the returned +object also doesn't have the correct refcount. + +So when the returned reference is released after verifying the TLS +signature, the public key object is actually destroyed. The certificate +object then points to an expired pointer, which is dereferenced once it +itself is destroyed after the authentication is complete. Depending on +whether the pointer is valid (i.e. points to memory allocated to the +process) and what was allocated there after the public key was freed, +this could result in a segmentation fault or even code execution. + +Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type") +Fixes: CVE-2023-26463 +--- + src/libtls/tls_server.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c +index c9c300917dd6..573893f2efb5 100644 +--- src/libtls/tls_server.c ++++ src/libtls/tls_server.c +@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id) + cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); + if (cert) + { +- public = cert->get_public_key(cert); +- if (public) ++ current = cert->get_public_key(cert); ++ if (current) + { +- key_type = public->get_type(public); +- public->destroy(public); ++ key_type = current->get_type(current); ++ current->destroy(current); + } + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + key_type, id, peer_auth, TRUE); +-- +2.25.1 +