[meta-networking,dunfell,v2] strongswan: Fix for CVE-2021-41990 and CVE-2021-41991

From: Virendra Thakur <virendrak@kpit.com>

Add patch to fix CVE-2021-41990 and CVE-2021-41991

Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com>
---
 .../strongswan/files/CVE-2021-41990.patch     | 62 +++++++++++++++++++
 .../strongswan/files/CVE-2021-41991.patch     | 41 ++++++++++++
 .../strongswan/strongswan_5.8.4.bb            |  2 +
 3 files changed, 105 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
 create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch

Hi Virendra,

You need to send this patch to "openembedded-devel@lists.openembedded.org".


Thanks,

Best Regards,

Ranjitsinh Rathod
Technical Leader |  | KPIT Technologies Ltd.
Cellphone: +91-84606 92403

On Mon, Jan 17, 2022 at 10:56 PM Ranjitsinh Rathod via
lists.openembedded.org <ranjitsinh.rathod=kpit.com@lists.openembedded.org>
wrote:

> Hi Virendra,
>
> You need to send this patch to "openembedded-devel@lists.openembedded.org
> ".
>

And also, since this is not a patch to oe-core, the subject should be
[oe][meta-networking]

Thanks for CVE fixes!

Steve




>
> Thanks,
>
> Best Regards,
>
> *Ranjitsinh Rathod*
> Technical Leader |  | KPIT Technologies Ltd.
> Cellphone: +91-84606 92403
>
> *__________________________________________ *KPIT <http://www.kpit.com/> |
>  Follow us on LinkedIn <http://www.kpit.com/linkedin>
>
> <https://www.kpit.com/TheNewBrand>
> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of virendra thakur
> via lists.openembedded.org <thakur.virendra1810=
> gmail.com@lists.openembedded.org>
> *Sent:* Friday, January 7, 2022 1:18 PM
> *To:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>; raj.khem@gmail.com <
> raj.khem@gmail.com>
> *Cc:* akuster808@gmail.com <akuster808@gmail.com>; Virendra Kumar Thakur <
> Virendra.Thakur@kpit.com>; Virendra Kumar Thakur <Virendra.Thakur@kpit.com
> >
> *Subject:* [OE-core] [meta-networking][dunfell][PATCH v2] strongswan: Fix
> for CVE-2021-41990 and CVE-2021-41991
>
> Caution: This email originated from outside of the KPIT. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> From: Virendra Thakur <virendrak@kpit.com>
>
> Add patch to fix CVE-2021-41990 and CVE-2021-41991
>
> Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com>
> ---
>  .../strongswan/files/CVE-2021-41990.patch     | 62 +++++++++++++++++++
>  .../strongswan/files/CVE-2021-41991.patch     | 41 ++++++++++++
>  .../strongswan/strongswan_5.8.4.bb            |  2 +
>  3 files changed, 105 insertions(+)
>  create mode 100644
> meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
>  create mode 100644
> meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
>
> diff --git
> a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
> b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
> new file mode 100644
> index 000000000..b7118ba1f
> --- /dev/null
> +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch
> @@ -0,0 +1,62 @@
> +From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
> +From: Tobias Brunner <tobias@strongswan.org>
> +Date: Tue, 28 Sep 2021 17:52:08 +0200
> +Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
> +
> +The `salt_len` member in the struct is of type `ssize_t` because we use
> +negative values for special automatic salt lengths when generating
> +signatures.
> +
> +Not checking this could lead to an integer overflow.  The value is
> assigned
> +to the `len` field of a chunk (`size_t`), which is further used in
> +calculations to check the padding structure and (if that is passed by a
> +matching crafted signature value) eventually a memcpy() that will result
> +in a segmentation fault.
> +
> +Fixes: a22316520b91 ("signature-params: Add functions to parse/build
> ASN.1 RSASSA-PSS params")
> +Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature
> verification")
> +Fixes: CVE-2021-41990
> +
> +Upstream-Status: Backport [
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.strongswan.org%2Fsecurity%2FCVE-2021-41990&amp;data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=%2BWim%2Bl1Eip2jX8UPUD8QjiTYpau1BJo6SmfH5sqxSAc%3D&amp;reserved=0
> ]
> +CVE: CVE-2021-41990
> +
> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> +
> +---
> + src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
> + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c    | 2 +-
> + 2 files changed, 6 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/libstrongswan/credentials/keys/signature_params.c
> b/src/libstrongswan/credentials/keys/signature_params.c
> +index d89bd2c96bb5..837de8443d43 100644
> +--- a/src/libstrongswan/credentials/keys/signature_params.c
> ++++ b/src/libstrongswan/credentials/keys/signature_params.c
> +@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0,
> rsa_pss_params_t *params)
> +                       case RSASSA_PSS_PARAMS_SALT_LEN:
> +                               if (object.len)
> +                               {
> +-                                      params->salt_len =
> (size_t)asn1_parse_integer_uint64(object);
> ++                                      params->salt_len =
> (ssize_t)asn1_parse_integer_uint64(object);
> ++                                      if (params->salt_len < 0)
> ++                                      {
> ++                                              goto end;
> ++                                      }
> +                               }
> +                               break;
> +                       case RSASSA_PSS_PARAMS_TRAILER:
> +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
> b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
> +index f9bd1d314dec..3a775090883e 100644
> +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
> ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
> +@@ -168,7 +168,7 @@ static bool
> verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
> +       int i;
> +       bool success = FALSE;
> +
> +-      if (!params)
> ++      if (!params || params->salt_len < 0)
> +       {
> +               return FALSE;
> +       }
> +--
> +2.25.1
> +
> diff --git
> a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
> b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
> new file mode 100644
> index 000000000..2d898fa5c
> --- /dev/null
> +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch
> @@ -0,0 +1,41 @@
> +From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
> +From: Tobias Brunner <tobias@strongswan.org>
> +Date: Tue, 28 Sep 2021 19:38:22 +0200
> +Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign
> change
> +
> +random() allocates values in the range [0, RAND_MAX], with RAND_MAX
> usually
> +equaling INT_MAX = 2^31-1.  Previously, values between 0 and 31 were added
> +directly to that offset before applying`% CACHE_SIZE` to get an index into
> +the cache array.  If the random value was very high, this resulted in an
> +integer overflow and a negative index value and, therefore, an
> out-of-bounds
> +access of the array and in turn dereferencing invalid pointers when trying
> +to acquire the read lock.  This most likely results in a segmentation
> fault.
> +
> +Fixes: 764e8b2211ce ("reimplemented certificate cache")
> +Fixes: CVE-2021-41991
> +
> +Upstream-Status: Backport [
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.strongswan.org%2Fsecurity%2FCVE-2021-41991&amp;data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=lodJFhXpIZ8FOw5TzFWwbAUJSbP9SoI9sgVheFPhNa4%3D&amp;reserved=0
> ]
> +CVE: CVE-2021-41991
> +
> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
> +
> +---
> + src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/libstrongswan/credentials/sets/cert_cache.c
> b/src/libstrongswan/credentials/sets/cert_cache.c
> +index f1579c60a9bc..ceebb3843725 100644
> +--- a/src/libstrongswan/credentials/sets/cert_cache.c
> ++++ b/src/libstrongswan/credentials/sets/cert_cache.c
> +@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
> +       for (try = 0; try < REPLACE_TRIES; try++)
> +       {
> +               /* replace a random relation */
> +-              offset = random();
> ++              offset = random() % CACHE_SIZE;
> +               for (i = 0; i < CACHE_SIZE; i++)
> +               {
> +                       rel = &this->relations[(i + offset) % CACHE_SIZE];
> +--
> +2.25.1
> +
> diff --git a/meta-networking/recipes-support/strongswan/
> strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/
> strongswan_5.8.4.bb
> index 8a8809243..b45b8074c 100644
> --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
> +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
> @@ -11,6 +11,8 @@ SRC_URI = "
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.strongswan.org%2Fstrongswan-%24&amp;data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=0g32wtulMlLljp9EdbG8BCz8hIG3mr95oWRYlOcoxMk%3D&amp;reserved=0{PV}.tar.bz2
> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdownload.strongswan.org%2Fstrongswan-%24&amp;data=04%7C01%7Cranjitsinh.rathod%40kpit.com%7C5abb6260dcf54af2885508d9d1b22a32%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637771385470682075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=0g32wtulMlLljp9EdbG8BCz8hIG3mr95oWRYlOcoxMk%3D&amp;reserved=0%7BPV%7D.tar.bz2>
> \
>             file://fix-funtion-parameter.patch \
>             file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \
>
> file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \
> +           file://CVE-2021-41990.patch \
> +           file://CVE-2021-41991.patch \
>             "
>
>  SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"
> --
> 2.17.1
>
> This message contains information that may be privileged or confidential
> and is the property of the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not the intended recipient,
> you are not authorized to read, print, retain copy, disseminate,
> distribute, or use this message or any part thereof. If you receive this
> message in error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160669):
> https://lists.openembedded.org/g/openembedded-core/message/160669
> Mute This Topic: https://lists.openembedded.org/mt/88257047/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>