diff mbox series

[meta-networking,scarthgap] strongswan: Fix CVE-2026-25075

Message ID 20260402115857.609116-1-vanusuri@mvista.com
State New
Headers show
Series [meta-networking,scarthgap] strongswan: Fix CVE-2026-25075 | expand

Commit Message

Vijay Anusuri April 2, 2026, 11:58 a.m. UTC 
Pick patch according to [1]

[1] https://download.strongswan.org/security/CVE-2026-25075/
[2] https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../strongswan/CVE-2026-25075.patch           | 50 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/CVE-2026-25075.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/strongswan/strongswan/CVE-2026-25075.patch b/meta-networking/recipes-support/strongswan/strongswan/CVE-2026-25075.patch
new file mode 100644
index 0000000000..46ce5d5ad2
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/CVE-2026-25075.patch
@@ -0,0 +1,50 @@ 
+From d4b3c39776f06948d875614a0eddea9561159f2a Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 5 Mar 2026 12:43:12 +0100
+Subject: [PATCH] eap-ttls: Prevent crash if AVP length header field is invalid
+
+The length field in the AVP header includes the 8 bytes of the header
+itself.  Not checking for that and later subtracting it causes an
+integer underflow that usually triggers a crash when accessing a
+NULL pointer that resulted from the failing chunk_alloc() call because
+of the high value.
+
+The attempted allocations for invalid lengths (0-7) are 0xfffffff8,
+0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result
+in a buffer overflow even if the allocation succeeds.
+
+Fixes: 79f2102cb442 ("implemented server side support for EAP-TTLS")
+Fixes: CVE-2026-25075
+
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2026-25075/strongswan-4.5.0-6.0.4_eap_ttls_avp_len.patch]
+CVE: CVE-2026-25075
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/libcharon/plugins/eap_ttls/eap_ttls_avp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+index 06389f7ca73e..2983bd021ded 100644
+--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
++++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+@@ -119,7 +119,7 @@ METHOD(eap_ttls_avp_t, process, status_t,
+ 		chunk_free(&this->input);
+ 		this->inpos = 0;
+ 
+-		if (!success)
++		if (!success || avp_len < AVP_HEADER_LEN)
+ 		{
+ 			DBG1(DBG_IKE, "received invalid AVP header");
+ 			return FAILED;
+@@ -130,7 +130,7 @@ METHOD(eap_ttls_avp_t, process, status_t,
+ 			return FAILED;
+ 		}
+ 		this->process_header = FALSE;
+-		this->data_len = avp_len - 8;
++		this->data_len = avp_len - AVP_HEADER_LEN;
+ 		this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4);
+ 	}
+ 
+-- 
+2.43.0
+
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 4592381a36..820a1ad9e8 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -10,6 +10,7 @@  DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '  tpm2-tss',
 
 SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://CVE-2025-62291.patch \
+           file://CVE-2026-25075.patch \
            "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"