diff mbox series

[meta-networking,scarthgap,03/10] strongswan: patch CVE-2025-62291

Message ID 20260123170221.671471-3-skandigraun@gmail.com
State New
Headers show
Series [meta-python,scarthgap,01/10] python3-django: upgrade 4.2.20 -> 4.2.27 | expand

Commit Message

Gyorgy Sarvari Jan. 23, 2026, 5:02 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62291

Pick the patch that is mentioned on the vendor's blog[1], that
is also referenced in the NVD report.

[1]: https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../strongswan/CVE-2025-62291.patch           | 45 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  3 +-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch b/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch
new file mode 100644
index 0000000000..df5568235e
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch
@@ -0,0 +1,45 @@ 
+From 8412dbb2dc054191b03df8e7fbc3dd8bf4c10be3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 9 Oct 2025 11:33:45 +0200
+Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on
+ the client
+
+For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
+`message_len` to become negative, which is then used in calls to malloc()
+and memcpy() that both take size_t arguments, causing an integer
+underflow.
+
+For 6 and 7, the huge size requested from malloc() will fail (it exceeds
+PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
+fault in memcpy().
+
+However, for 8, the allocation is 0, which succeeds.  But then the -1
+passed to memcpy() causes a heap-based buffer overflow (and possibly a
+segmentation fault when attempting to read/write that much data).
+Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
+Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
+overflow and causes the daemon to get aborted immediately instead.
+
+Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
+Fixes: CVE-2025-62291
+
+CVE: CVE-2025-62291
+Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/c687ada6a6f68913651e355fd09f906893096b32]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+index 1bb54c8..9ad509a 100644
+--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
+ 	data = in->get_data(in);
+ 	eap = (eap_mschapv2_header_t*)data.ptr;
+ 
+-	if (data.len < 3) /* we want at least an error code: E=e */
++	if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */
+ 	{
+ 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+ 		return FAILED;
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 2e2da8274b..4592381a36 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -9,7 +9,8 @@  DEPENDS = "flex-native flex bison-native"
 DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '  tpm2-tss', '', d)}"
 
 SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
-          "
+           file://CVE-2025-62291.patch \
+           "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"