From patchwork Tue Jun  9 08:30:59 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nitin Wankhade <nitin.wankhade333@gmail.com>
X-Patchwork-Id: 89522
Return-Path: <nitin.wankhade333@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5A4B4CD8CAC
	for <webhook@archiver.kernel.org>; Tue,  9 Jun 2026 08:32:33 +0000 (UTC)
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com
 [209.85.216.49])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.74753.1780993944928707030
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:25 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=pW0pmdUu;
 spf=pass (domain: gmail.com, ip: 209.85.216.49,
 mailfrom: nitin.wankhade333@gmail.com)
Received: by mail-pj1-f49.google.com with SMTP id
 98e67ed59e1d1-36b7b802299so485790a91.1
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780993944; x=1781598744;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=5k6MCwMfbW+lMyUO0F4aU4Fy1VrU3D/zoyuWbt1VFTY=;
        b=pW0pmdUuMwIDp0ADdVApkPhiV9Vxld5ZsZXEEGYEDs3x9Xau1V/T7rZjAjQJ0n0amy
         K1ad3nJVOKVSLgFbh8kuM0TkVy7Fdt5oTzTnuK9woHklAQybMNRpi1OTRqHavRGBtHxf
         mbRcd0RO/lIfokARaRQDl5l2tu/ok9MkDwZykPgcASHFdBhTyW2+nDf522+j6fRXPYHJ
         +3eZMC18zgKz8VqyHlWw8Nw8SXB9wgRGaeOAnorskftp+MUHHZZ4zdp8+m08JYnlKsXA
         LFpKz0ENgAiYuuTEEqAjiIH7RFFBizzzNbEyZaiyR9TkOJMqEovJfClh+QIfwQdHPsWL
         C8Gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780993944; x=1781598744;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=5k6MCwMfbW+lMyUO0F4aU4Fy1VrU3D/zoyuWbt1VFTY=;
        b=STTpg3amih625C+L8qbtPvmd8q/0BceiJyXgNtmuW11GtySVrPqb0X+rjqGEUN0j6A
         ilksrI8nQmnoq97jbYH/HqLQRWkcSQWVTEz9szcbtxIAxEtzNaJdpnc1L3Z0nv4tKmHZ
         EbwUi0EA0T/svV/i0ZES/QvkFlKfeKWULn8pBxPF3/NL2BXKkAjYeuPmYd6oQjdr9tkF
         itdcKxL+pn2LcJacJOJTv7433eEdOZtDWyaHqUlbijdfxvpCGhLMS+YmbNNpj8/SdlXk
         nFgZMFI4V/vJWk/3IRDJnWllwZrsuaKZQM7JXDVnXwYnb+HITqqB2ivPcPNtuO1w6hKo
         qdbA==
X-Gm-Message-State: AOJu0YwmhoT/pHmJjYlixlH6Wo87ircaoVsFTYI2bL5pcKVm3MXXPBZJ
	QJ6Ca7LHNFGUCN2xgcuiRPrfs3iKfxCgNyC/07UuceWh6E6LLauFxglfqsqJu72q50sv0Q==
X-Gm-Gg: Acq92OEK4mGNppVzpBnY34QMYw5MdN9+vRMRAgcBJvTodWzIq6pSaxkk1MNtXaCpeZ4
	nT4DuS4sMllBLOw/s99ukoIA8D7TQja5NfzMdWbRW6dGUIbLTp0YiCCeACUBa+oV2NXdmeFYOfa
	ZOkv+9F45LJ0loUlmwT7xoQ3P8eM0kzY5Kn4d8s8mRDWRLK0O3BSloLkKcbCaGz3nbxigzUk3xA
	D5Eu4XtyxOUPIZamJLOWR45YPvlVjZzdltOQxkreocjDojJGsN5iz+qExRhs1U78ozUKznRFMYy
	lHpPdtQLJzfD8VbA53tbwqmw8yZ/WDM9WGen1DX0i+B+cJrfoDltwI8vgqv1dpHQuBbSB7xvFko
	NLHI01oeRubRHS4CHpgy8tMyTUEnZI45zJAj0N8xg6+Hey5JmBayLbfc3R4HSQzVFwmgSaZ80pD
	VWpicNkuaxAiGeilcpz3S7dJjhFkD2CqIB2fyRETAi2m2l8mHK/eIROJUIXGflGQ==
X-Received: by 2002:a17:90b:2702:b0:368:f0a:1c49 with SMTP id
 98e67ed59e1d1-3751d10e793mr1128333a91.0.1780993944141;
        Tue, 09 Jun 2026 01:32:24 -0700 (PDT)
Received: from L-15597L.www.tendawifi.com ([36.255.86.178])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6bf903fasm18196212a91.2.2026.06.09.01.32.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 01:32:23 -0700 (PDT)
From: Nitin Wankhade <nitin.wankhade333@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Nitin.Wankhade@kpit.com
Subject: [OE-core][scarthgap][PATCH 1/6] strongswan: Fix CVE-2026-35328
Date: Tue,  9 Jun 2026 14:00:59 +0530
Message-Id: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 09 Jun 2026 08:32:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127438

Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
---
 ...nt-infinite-loop-if-supported-versio.patch | 42 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch

diff --git a/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
new file mode 100644
index 0000000000..32a23b3be1
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
@@ -0,0 +1,42 @@
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Wed, 25 Mar 2026 10:17:46 +0100
+Subject: tls-server: Prevent infinite loop if supported versions are too
+ short
+
+If the extension doesn't contain a multiple of two bytes, the previous
+code would get stuck in an infinite loop as `remaining()` continued to
+return TRUE while `read_uint16()` failed to parse a value. Initiating
+several connections with such an extension allows a DoS attack as no
+threads would eventually be available to handle packets/events.
+
+Fixes: 7fbe2e27ecf6 ("tls-server: TLS 1.3 support for TLS server implementation")
+Fixes: CVE-2026-35328
+
+CVE: CVE-2026-35328
+Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+===
+diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
+index 3ad9fd2..7b2238e 100644
+--- a/src/libtls/tls_server.c
++++ b/src/libtls/tls_server.c
+@@ -471,15 +471,12 @@ static status_t process_client_hello(private_tls_server_t *this,
+ 		bio_reader_t *client_versions;
+ 
+ 		client_versions = bio_reader_create(versions);
+-		while (client_versions->remaining(client_versions))
++		while (client_versions->read_uint16(client_versions, &version))
+ 		{
+-			if (client_versions->read_uint16(client_versions, &version))
++			if (this->tls->set_version(this->tls, version, version))
+ 			{
+-				if (this->tls->set_version(this->tls, version, version))
+-				{
+-					this->client_version = version;
+-					break;
+-				}
++				this->client_version = version;
++				break;
+ 			}
+ 		}
+ 		client_versions->destroy(client_versions);
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 7cc67e4d92..6fbc345923 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://CVE-2025-62291.patch \
            file://CVE-2026-25075.patch \
            file://CVE-2026-35334.patch \
+           file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
            "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"

From patchwork Tue Jun  9 08:31:00 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nitin Wankhade <nitin.wankhade333@gmail.com>
X-Patchwork-Id: 89521
Return-Path: <nitin.wankhade333@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 556C1CD8CA4
	for <webhook@archiver.kernel.org>; Tue,  9 Jun 2026 08:32:33 +0000 (UTC)
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.74582.1780993949725082652
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:29 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=qanSbIcz;
 spf=pass (domain: gmail.com, ip: 209.85.216.44,
 mailfrom: nitin.wankhade333@gmail.com)
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-36b78532b0dso507921a91.1
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780993949; x=1781598749;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Fwlxk9QoTrf+wgxy/iYDAqkCF+dNrz13GEjgxsuSW78=;
        b=qanSbIczdxFWCEQiGMw9dE/DlQ/uLtiinTlZq+WMFUmNuyAIy1a2Ylkw3GqbvzIaMO
         CHD6CxkxCVUGv+thLh6lzG6DTd/RvCj4dCbRDWHrT2bUkMO7NkXZqkFtgtHv7Oqn5EGQ
         YwGT2pUKPUl/VehKVz3xkN+5gUm8LbRXRg4Zqv7ZoXVHr2iNj2ObdxqX1cimcaHwzOyx
         WnpQYXc33htaZtYoCBy3KJXVGFhFz/wjZwYFmO7wsMR/vpEY8Nd/+970DCZsPEkNzyMK
         wjgYNUkgPGxYROP9hQ2E9W1OOw2RZRmfdYj6xyUfJDIeL2nlRHIZaRi5PiauC8QDivDm
         akeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780993949; x=1781598749;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=Fwlxk9QoTrf+wgxy/iYDAqkCF+dNrz13GEjgxsuSW78=;
        b=OWKDsM5EbV4V0jgg/QraxbzIyK8k2SmsaUFhVfff9RkJ0t3tRIzN2UygR+GMlKO08b
         fWOXrX2QFJIdMTnlbXHBOZ2ZoDmmLtzNIRSro/SOBlrLwJKG7S4kca8QuLfxM/+T1h13
         8Jp3WDfts0Z/1UAsI1eqCV4AtIFNHIYLRRgg/+edH49E6JQjNuc8QZ5/iKSuXMKE4lfb
         LgaFJO9NISNpUcbUjkB0SHlow+fuL8rM2sVB2rNnnBSEp0yUM1YbCLomiKWZEU/sviqV
         qpY9XtlOkoGX2znTN99ySm5snwVTFPRFr/MOZbb/Tzt95/ZSXqypNuY1gflZfYYKvJlg
         YUCQ==
X-Gm-Message-State: AOJu0YxhaY9SKN/wk2vc62A3XDGl9/wf1zhIhTzGLGi8ht48zE2yJAag
	Si8rFVVO6yivHUYBXEOigGSmxL9VHxgMVmgzggLC9YtLxfaIMJrQ0WjGDeZ2Yq5tBU+TZw==
X-Gm-Gg: Acq92OGmGdOjKXy69wkz+CKdn/RTdHvCr2uNmxb0f9bdYDZryGPjYrIbANTxRw2Ru5w
	Hq4ovHYT1oKY4wYeGhCT87/H+fZ2yrqaDUF1Ked7mxcOb5N1W79esN8ePjKYnIujNNU4e7Vkyo+
	9Lzye56u/FdFCVqGegROgup2eZbZuRylETDkAzogP54aaJcuOJUgBttXL5M0pUhzxfXMMAQkTcN
	5HSGvAzaU8nIFJXF8de+eXTDTGOje0epHil7m27UE9ihL9jTpIGMAijs0C3TnaFi7X9T7WpPCW0
	8aOlrsWqVqtPl3R+7mATNktfy5E/eUTQ24eFByw54sy6GPchevxZM5a7x33YIe29N1TIgXtI3kU
	X0Vtb+1hzTfpWyX8+gq8YW13R+yH4j5AdQkkElpR1pC9GeWztAOUSU1C/XrF0R6wwpPfA5TjYg3
	xxhJkblcr7P1+6tPcC/TJh+bMp0UHdkxZqrLjGZtmT+a6n13432I/Ky5M01xfj0g==
X-Received: by 2002:a17:90b:554b:b0:36d:b30b:14ed with SMTP id
 98e67ed59e1d1-370ee351f6fmr9760665a91.2.1780993948937;
        Tue, 09 Jun 2026 01:32:28 -0700 (PDT)
Received: from L-15597L.www.tendawifi.com ([36.255.86.178])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6bf903fasm18196212a91.2.2026.06.09.01.32.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 01:32:28 -0700 (PDT)
From: Nitin Wankhade <nitin.wankhade333@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Nitin.Wankhade@kpit.com
Subject: [OE-core][scarthgap][PATCH 2/6] strongswan: Fix CVE-2026-35329
Date: Tue,  9 Jun 2026 14:01:00 +0530
Message-Id: <20260609083104.869512-2-nitin.wankhade333@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
References: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 09 Jun 2026 08:32:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127439

Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
---
 ...d-NULL-pointer-dereference-when-veri.patch | 57 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch

diff --git a/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch b/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch
new file mode 100644
index 0000000000..0b4c498fbd
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch
@@ -0,0 +1,57 @@
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Wed, 25 Mar 2026 10:28:45 +0100
+Subject: pkcs5/pkcs7: Avoid NULL pointer dereference when verifying padding
+
+Can be triggered via empty PKCS#7 encrypted- or enveloped-data content
+in IKEv1 CERT payload.
+
+Fixes: 4076e3ee9121 ("Extract PKCS#5 handling from pkcs8 plugin to separate helper class")
+Fixes: d7aa09104f08 ("Implement PKCS#7 enveloped-data parsing and decryption")
+Fixes: CVE-2026-35329
+
+CVE: CVE-2026-35329
+Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Patch is refreshed as per the source code version 5.9.14
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+===
+diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c
+index e48a9ad..134ccd3 100644
+--- a/src/libstrongswan/crypto/pkcs5.c
++++ b/src/libstrongswan/crypto/pkcs5.c
+@@ -113,6 +113,11 @@ static bool verify_padding(crypter_t *crypter, chunk_t *blob)
+ {
+ 	uint8_t padding, count;
+ 
++	if (!blob->len)
++	{
++                return FALSE;
++       }
++
+ 	padding = count = blob->ptr[blob->len - 1];
+ 
+ 	if (padding > crypter->get_block_size(crypter))
+diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
+index 8b26bad..3d601d6 100644
+--- a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
++++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
+@@ -182,10 +182,17 @@ static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid,
+  */
+ static bool remove_padding(private_pkcs7_enveloped_data_t *this)
+ {
+-	u_char *pos = this->content.ptr + this->content.len - 1;
+-	u_char pattern = *pos;
+-	size_t padding = pattern;
++	u_char *pos, pattern;
++	size_t padding;
+ 
++	if (!this->content.len)
++       {
++		return FALSE;
++	}
++
++	pos = this->content.ptr + this->content.len - 1;
++	pattern = *pos;
++	padding = pattern;
+ 	if (padding > this->content.len)
+ 	{
+ 		DBG1(DBG_LIB, "padding greater than data length");
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 6fbc345923..ac4bc5380b 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://CVE-2026-25075.patch \
            file://CVE-2026-35334.patch \
            file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
+           file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
            "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"

From patchwork Tue Jun  9 08:31:01 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Nitin Wankhade <nitin.wankhade333@gmail.com>
X-Patchwork-Id: 89523
Return-Path: <nitin.wankhade333@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3B394CD8CBF
	for <webhook@archiver.kernel.org>; Tue,  9 Jun 2026 08:32:43 +0000 (UTC)
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com
 [209.85.216.42])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.74583.1780993953222877137
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:33 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=QmGL/NE9;
 spf=pass (domain: gmail.com, ip: 209.85.216.42,
 mailfrom: nitin.wankhade333@gmail.com)
Received: by mail-pj1-f42.google.com with SMTP id
 98e67ed59e1d1-36ba0ae0daaso522315a91.2
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780993953; x=1781598753;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=T7ZZCdKKvq3+XPt8ecj713zNrLjMOk+mZNXf2m+aFKg=;
        b=QmGL/NE9Bj9BKI9SnRyzoBBUA08cixPcsqiwf/dUpOLxH9/mBmR5KonkJDI5BFid29
         A0IOmetaDxlmi8m4cQBi0mT+vUPnyCgaNsQN0067M0h1QAszQo19GwXifSEaMYoPrzZ3
         jllWgJoW8kZrV/K28pYeFRwzpbu9kYHZvr3nxMVrue09fp7Y4jJiQRqic7QhVGvdppGJ
         arcBlnzC3ZcVJqMG6skqbBNXerPtunvBvpucXXVqPZwRAOnqgzqpKHQjWxc9pvTD8eo0
         NUPfRyDrzzd8a1nxrkASQUxExtKRPKgTX/odi8N033uNF7Mlg7aV/idZT321c9Cf1h5K
         r7VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780993953; x=1781598753;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=T7ZZCdKKvq3+XPt8ecj713zNrLjMOk+mZNXf2m+aFKg=;
        b=GrBIA4ge6XOfOjvZYoD1CpMdCCG8za3tJLyK5VlMHNU/mJpd9Vn8u6PWPUdX2zdENK
         nvRAgC+qAi5c+2T9hM4RH7T/ZQQIDnWR7Gv9DL4iKqzL6wp/2awpYKGSi3YFeZlsPxKt
         HGULn838Og1wAE1fJ2UlKKoQM08QbSnST/AwXiOfCPdy2qIZcATdAofEkEauQ4BMC8C8
         /WKO0DkKPSsJylcZOc1hMIWKTeLkeRwY++3tOGWtggWchMwvLv0l3bKf8T80j5x2Dnlx
         oaUFsU84hlrjvN3nB6CjuquCKUu0YZIN1bfckBbLrwybEIsSJ6BGFizM02SmGnMkhiIJ
         QXBg==
X-Gm-Message-State: AOJu0YyTHasFbQjCV9ZlAAjDwbAPeGHbZOFmDaAL1/y8y5Ehf9ky6D6G
	RinBYYEZ5XChYAd+wlvx44zaCK5d4PZdvQKd/0PTbyGKnOzs1D5fspPMkui2CW5BX0hjcg==
X-Gm-Gg: Acq92OEftYud1oa+guYPepeEhfdoJQ4fw4zwXk9edPdZ0uhIEacLQGgMCjC8c2K77MZ
	tm2BtMtH7lngB/Ozs6RDQL3ITAuzgMPdOfS0os5jcKmNq60Dr3LCn/thlDcMoRZUv/3dqGkmoFy
	9XzObUPYzePEiGc94FoucFKYJ/mhF55dfTz2DzusV+jxeBhyf82RGsIsZV0fuFhon2FcLRTgMOR
	6ulGjdX6GnQ543SMrDRdj30QB+x4kA4cu1QJP6joYulr1zywLSlzd+mWiRtOYiDqu8iHJdfPFgd
	TaawLDmKAHWR+SUcWbtP2ZQUeA3JY896hxotEFf3UcEeiHJZ/gEH2onH8xjeNy37ZXvhcJvmuhQ
	S5j09Mgex1Ype75F/yq4cxa1gLC3BP7xX58f140ip6cAxoX/AI6K7tz64GqMHYgKYQzWbNLIAY7
	ptbcvf09HmnCDuwphA3Q23CjwvFxnslK2nZDsdcb/BbiQH4T15zT+KktE1UQZ6VRwGguerqk0w
X-Received: by 2002:a17:90a:e70f:b0:364:be8f:1d86 with SMTP id
 98e67ed59e1d1-370f0e4b6ecmr10853060a91.8.1780993952560;
        Tue, 09 Jun 2026 01:32:32 -0700 (PDT)
Received: from L-15597L.www.tendawifi.com ([36.255.86.178])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6bf903fasm18196212a91.2.2026.06.09.01.32.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 01:32:32 -0700 (PDT)
From: Nitin Wankhade <nitin.wankhade333@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Nitin.Wankhade@kpit.com
Subject: [OE-core][scarthgap][PATCH 3/6] strongswan: Fix CVE-2026-35330
Date: Tue,  9 Jun 2026 14:01:01 +0530
Message-Id: <20260609083104.869512-3-nitin.wankhade333@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
References: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 09 Jun 2026 08:32:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127440

Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
---
 ...-Reject-zero-length-EAP-SIM-AKA-attributes | 54 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes

diff --git a/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes b/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes
new file mode 100644
index 0000000000..fdb60d0e55
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes
@@ -0,0 +1,54 @@
+From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <research@johannes-moeller.dev>
+Date: Wed, 11 Mar 2026 16:07:10 +0000
+Subject: libsimaka: Reject zero-length EAP-SIM/AKA attributes
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA,
+AT_RAND, AT_PADDING, default branches. The code then subtracts the
+fixed attribute header size from the encoded length, which underflows
+and exposes a wrapped payload length to later code.  In particular,
+for the cases where add_attribute() is called, this causes a heap-based
+buffer overflow (a buffer of 12 bytes is allocated to which the wrapped
+length is written).  For AT_PADDING, the underflow is irrelevant as
+add_attribute() is not called. Instead, this results in an infinite loop.
+
+Reject zero-length attributes before subtracting the attribute header.
+
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA")
+Fixes: CVE-2026-35330
+
+CVE: CVE-2026-35330
+Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+===
+diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
+index 6706568..4862048 100644
+--- a/src/libsimaka/simaka_message.c
++++ b/src/libsimaka/simaka_message.c
+@@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
+ 			case AT_ENCR_DATA:
+ 			case AT_RAND:
+ 			{
+-				if (hdr->length * 4 > in.len || in.len < 4)
++				if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
+ 				{
+ 					return invalid_length(hdr->type);
+ 				}
+@@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
+ 			case AT_PADDING:
+ 			default:
+ 			{
+-				if (hdr->length * 4 > in.len || in.len < 4)
++				if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
+ 				{
+ 					return invalid_length(hdr->type);
+ 				}
+@@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, uint8_t identifier,
+ 	return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)),
+ 									  crypto);
+ }
+-
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index ac4bc5380b..85fd95d6b8 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://CVE-2026-35334.patch \
            file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
            file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
+           file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
            "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"

From patchwork Tue Jun  9 08:31:02 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nitin Wankhade <nitin.wankhade333@gmail.com>
X-Patchwork-Id: 89525
Return-Path: <nitin.wankhade333@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 24B8BCD8CAD
	for <webhook@archiver.kernel.org>; Tue,  9 Jun 2026 08:32:43 +0000 (UTC)
Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com
 [209.85.216.48])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.74754.1780993958325822023
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=dVEHCHOC;
 spf=pass (domain: gmail.com, ip: 209.85.216.48,
 mailfrom: nitin.wankhade333@gmail.com)
Received: by mail-pj1-f48.google.com with SMTP id
 98e67ed59e1d1-36f4773d7abso836814a91.3
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780993958; x=1781598758;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=aqUW/FTMUxt4aZiWr45+xMxo6IjJBJtodPFUPb44HjQ=;
        b=dVEHCHOCyg+oZ4fun38X9ZhFcncVxYI2KoY2F332T2kHvSNG1glH0zm32qWR/+V7vZ
         D0MluYjricghx5yJ0mL1AldTpAa3V3SCTMDBUgEczoJ9A1vlpC9ZQf+3THtNi/oxq867
         D/LEGQ4CTtHy8nFI8MPoSAg7i6pPhm1ksWgFHcmgipntJQ/dnNdwwzSIJftcMIaMmZmR
         Ie5hvnr9o+QqZ6DoO/scep7nTdodXGkhJgj/VIlHSMYfkO6qktsv6crfYs4gvecF18Le
         zb9T9nTWvhqHcQC+NUHJtlDBphzNymwg3KPX4yr30CvxXRAxyD+EmJ1Ia0cGbXUdnSvj
         bujA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780993958; x=1781598758;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=aqUW/FTMUxt4aZiWr45+xMxo6IjJBJtodPFUPb44HjQ=;
        b=Kifz2kzmbWiWP/2oL+iax5AU/TfiP3ffpw5p7qelJtwPLCiWapWOIzr8nPDxWI7HdG
         Z5iKAhYDuN7UCwenK1nEFnSoKx5Wv6Zk3ppkuUkOUm51K72VO0Hr+KgzWXbAWu9nYn8G
         f/10L71QmpZ4hgsqW7aTjYGLa+8y6Dni8A1VI8UReZCqJdRgCW8ir11j9lKFgUvHxoKA
         y4GRkgchl8bPXDaCfIYXINdWDx4po9GySQ8ukcjCUso5XoxBevefhq5ju8FKntmz3RM4
         2i95Xr9nf/1b0+pDDJznM8RE0ZBQplHVJWC81TatopOAJJIP88SSgPmFN9pQKHFRcThz
         Wu3w==
X-Gm-Message-State: AOJu0YwvcQTkb7L1V5PbuAzKBYMnSJ4XRgn80Zd/6hRH4+LdXkxhyj0Q
	0mV8CFopI49YabfkgRF3I8LpyV+LKGSxU1KKEgtdz368Ov1f3vl/BEc8XgAP0YCFmARa0Q==
X-Gm-Gg: Acq92OE8OqtIR26V8XErAlpbqY4t4EcEd1e094TzDpGZhvB6sWDU7tEqIL2r3J1bw2Y
	Iu1DyDBmNDj5oFUAgG+NDb4N5fDJMmX4X5CE505DPF5cwgOPQ2eoRQw0pBfJ28vkqzI6CxgTxkX
	xo7PPQxbK0eYB/9+5crrTYgq2V1AJ5R36uCR8FRYyQMWy+epD7cB5Os/51RA27rqPEKR5ezt1eL
	heV7bxJ/lPBDjYV4tn4oldP54KwcIeUrOEZNWaAYa77gSdzD1mUvpmfdo0VjjC338RnntNo0Ys0
	pIwgM8hTgZ8lLiv6f9QOuho/2QkDM6R6k0ZPG1b1AxC3Kn2xdVjJlblMOY7iXV5ZItmLLYEwC/X
	CB9ouMMaPzKkD2eOjuuOvGKtbVCCzqA5MOIg0sY4iFPZgKvnCsteCN8L/FzB2ESkWfGSwbbFsCK
	6ciliGtOL/DyGe49fh5Ap/uJesMWMqWWRnVVCED7UgdMdyNY/T2GFoACWSmhLzHA==
X-Received: by 2002:a17:90b:1801:b0:36b:a12b:f540 with SMTP id
 98e67ed59e1d1-370f3460ca4mr10525974a91.5.1780993957648;
        Tue, 09 Jun 2026 01:32:37 -0700 (PDT)
Received: from L-15597L.www.tendawifi.com ([36.255.86.178])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6bf903fasm18196212a91.2.2026.06.09.01.32.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 01:32:37 -0700 (PDT)
From: Nitin Wankhade <nitin.wankhade333@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Nitin.Wankhade@kpit.com
Subject: [OE-core][scarthgap][PATCH 4/6] strongswan: Fix CVE-2026-35331
Date: Tue,  9 Jun 2026 14:01:02 +0530
Message-Id: <20260609083104.869512-4-nitin.wankhade333@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
References: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 09 Jun 2026 08:32:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127441

Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
---
 ...-insensitive-matching-and-reject-exc.patch | 175 ++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |   1 +
 2 files changed, 176 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/constraints-Case-insensitive-matching-and-reject-exc.patch

diff --git a/meta-networking/recipes-support/strongswan/strongswan/constraints-Case-insensitive-matching-and-reject-exc.patch b/meta-networking/recipes-support/strongswan/strongswan/constraints-Case-insensitive-matching-and-reject-exc.patch
new file mode 100644
index 0000000000..e307797302
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/constraints-Case-insensitive-matching-and-reject-exc.patch
@@ -0,0 +1,175 @@
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 23 Mar 2026 17:45:11 +0100
+Subject: constraints: Case-insensitive matching and reject excluded DN name
+ constraints
+
+The case is generally ignored when matching identities.  So this is
+an issue with excluded name constraints where a malicious intermediate
+CA could evade the constraints by issuing certificates with names that
+just modify the case (e.g. strongSwan.org instead strongswan.org).
+
+Note that it's likely that permitted name constraints are preferred over
+excluded name constraints as it might be difficult to come up with a
+conclusive list of names to exclude.
+
+With directoryName (DN) name constraints the issue is a bit more comples.
+Some RDNs have to be matched in a case-insensitive manner, which we e.g.
+do in `identification.c::rdn_equals`.  By not doing it for name
+constraints, a malicious intermediate CA could evade an excluded name
+constraint just by modifying the case in such an RDN.
+
+While we could use the mentioned function in `dn_matches`, this doesn't
+properly fix the problem because the function is basically too strict.
+Especially in regards to RDNs of type UTF8String, which are only compared
+binary.  To match these properly, we'd have to implement the string
+preparation described in RFC 5280, section 7.1 and the referenced RFCs.
+Until that's the case, we reject excluded name constraints of type
+directoryName as we are unable to enforce them.
+
+Fixes: a2b340764fac ("Implemented NameConstraint matching in constraints plugin")
+Fixes: CVE-2026-35331
+
+CVE: CVE-2026-35331
+Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+===
+diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
+index 27bdb89..daa7bfa 100644
+--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
++++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
+@@ -55,6 +55,18 @@ static bool check_pathlen(x509_t *issuer, int pathlen)
+ 	return TRUE;
+ }
+ 
++/**
++ * Check if the constraint and ID strings match case-insensitively
++ */
++static bool string_matches(chunk_t constraint, chunk_t id)
++{
++       /* make sure the two strings have actually the same length */
++       return constraint.len == id.len &&
++                  memchr(constraint.ptr, 0, constraint.len) == NULL &&
++                  memchr(id.ptr, 0, id.len) == NULL &&
++                  strncasecmp(constraint.ptr, id.ptr, constraint.len) == 0;
++}
++
+ /**
+  * Check if a FQDN constraint matches
+  */
+@@ -70,7 +82,7 @@ static bool fqdn_matches(identification_t *constraint, identification_t *id)
+ 		return FALSE;
+ 	}
+ 	diff = chunk_create(i.ptr, i.len - c.len);
+-	if (!chunk_equals(c, chunk_skip(i, diff.len)))
++	if (!string_matches(c, chunk_skip(i, diff.len)))
+ 	{
+ 		return FALSE;
+ 	}
+@@ -101,10 +113,10 @@ static bool email_matches(identification_t *constraint, identification_t *id)
+ 	}
+ 	if (memchr(c.ptr, '@', c.len))
+ 	{	/* constraint is a full email address */
+-		return chunk_equals(c, i);
++		return string_matches(c, i);
+ 	}
+ 	diff = chunk_create(i.ptr, i.len - c.len);
+-	if (!chunk_equals(c, chunk_skip(i, diff.len)))
++	if (!string_matches(c, chunk_skip(i, diff.len)))
+ 	{
+ 		return FALSE;
+ 	}
+@@ -389,9 +401,17 @@ static bool collect_constraints(x509_t *x509, bool permitted, hashtable_t **out)
+ 		type = constraint->get_type(constraint);
+ 		switch (type)
+ 		{
++			case ID_DER_ASN1_DN:
++                               if (!permitted)
++                               {
++                                       DBG1(DBG_CFG, "excluded %N NameConstraint not supported",
++                                                id_type_names, type);
++                                       success = FALSE;
++                                       break;
++                               }
++                               /* fall-through */
+ 			case ID_FQDN:
+ 			case ID_RFC822_ADDR:
+-			case ID_DER_ASN1_DN:
+ 			case ID_IPV4_ADDR_SUBNET:
+ 			case ID_IPV6_ADDR_SUBNET:
+ 				break;
+diff --git a/src/libstrongswan/tests/suites/test_certnames.c b/src/libstrongswan/tests/suites/test_certnames.c
+index 2549fb6..14570ee 100644
+--- a/src/libstrongswan/tests/suites/test_certnames.c
++++ b/src/libstrongswan/tests/suites/test_certnames.c
+@@ -207,8 +207,10 @@ static struct {
+ 	bool good;
+ } permitted_san[] = {
+ 	{ ".strongswan.org", "test.strongswan.org", TRUE },
++	{ ".strongswan.org", "test.strongSwan.org", TRUE },
+ 	{ "strongswan.org", "test.strongswan.org", TRUE },
+ 	{ "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", TRUE },
++	{ "a.b.c.strongswan.org", "d.A.b.C.strongswan.org", TRUE },
+ 	{ "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", FALSE },
+ 	{ "strongswan.org", "strongswan.org.com", FALSE },
+ 	{ ".strongswan.org", "strongswan.org", FALSE },
+@@ -216,8 +218,11 @@ static struct {
+ 	{ "strongswan.org", "swan.org", FALSE },
+ 	{ "strongswan.org", "swan.org", FALSE },
+ 	{ "tester@strongswan.org", "tester@strongswan.org", TRUE },
++	{ "tester@strongswan.org", "tester@strongSwan.org", TRUE },
++	{ "tester@strongswan.org", "TESTER@strongswan.org", TRUE },
+ 	{ "tester@strongswan.org", "atester@strongswan.org", FALSE },
+ 	{ "email:strongswan.org", "tester@strongswan.org", TRUE },
++	{ "email:strongswan.org", "tester@strongSwan.org", TRUE },
+ 	{ "email:strongswan.org", "tester@test.strongswan.org", FALSE },
+ 	{ "email:.strongswan.org", "tester@test.strongswan.org", TRUE },
+ 	{ "email:.strongswan.org", "tester@strongswan.org", FALSE },
+@@ -248,11 +253,11 @@ static struct {
+ 	char *subject;
+ 	bool good;
+ } excluded_dn[] = {
+-	{ "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", TRUE },
+-	{ "C=CH, O=another", "C=CH, O=anot", TRUE },
+-	{ "C=CH, O=another", "C=CH, O=anot, CN=tester", TRUE },
++	{ "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", FALSE },
++	{ "C=CH, O=another", "C=CH, O=anot", FALSE },
++	{ "C=CH, O=another", "C=CH, O=anot, CN=tester", FALSE },
+ 	{ "C=CH, O=another", "C=CH, O=another, CN=tester", FALSE },
+-	{ "C=CH, O=another", "C=CH, CN=tester, O=another", TRUE },
++	{ "C=CH, O=another", "C=CH, CN=tester, O=another", FALSE },
+ };
+ 
+ START_TEST(test_excluded_dn)
+@@ -281,7 +286,9 @@ static struct {
+ } excluded_san[] = {
+ 	{ ".strongswan.org", "test.strongswan.org", FALSE },
+ 	{ "strongswan.org", "test.strongswan.org", FALSE },
++	{ "strongswan.org", "test.strongSwan.org", FALSE },
+ 	{ "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", FALSE },
++	{ "a.b.c.strongswan.org", "d.a.b.C.strongswan.org", FALSE },
+ 	{ "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", TRUE },
+ 	{ "strongswan.org", "strongswan.org.com", TRUE },
+ 	{ ".strongswan.org", "strongswan.org", TRUE },
+@@ -289,8 +296,10 @@ static struct {
+ 	{ "strongswan.org", "swan.org", TRUE },
+ 	{ "strongswan.org", "swan.org", TRUE },
+ 	{ "tester@strongswan.org", "tester@strongswan.org", FALSE },
++	{ "tester@strongswan.org", "TESTER@strongswan.org", FALSE },
+ 	{ "tester@strongswan.org", "atester@strongswan.org", TRUE },
+ 	{ "email:strongswan.org", "tester@strongswan.org", FALSE },
++	{ "email:strongswan.org", "tester@strongSwan.org", FALSE },
+ 	{ "email:strongswan.org", "tester@test.strongswan.org", TRUE },
+ 	{ "email:.strongswan.org", "tester@test.strongswan.org", FALSE },
+ 	{ "email:.strongswan.org", "tester@strongswan.org", TRUE },
+@@ -418,9 +427,9 @@ static struct {
+ 	char *subject;
+ 	bool good;
+ } excluded_dn_levels[] = {
+-	{ "C=CH, O=strongSwan", "C=CH", "C=DE", TRUE },
++	{ "C=CH, O=strongSwan", "C=CH", "C=DE", FALSE },
+ 	{ "C=CH, O=strongSwan", "C=CH", "C=CH", FALSE },
+-	{ "C=CH, O=strongSwan", "C=DE", "C=CH", TRUE },
++	{ "C=CH, O=strongSwan", "C=DE", "C=CH", FALSE },
+ 	{ "C=CH, O=strongSwan", "C=DE", "C=DE", FALSE },
+ 	{ "C=CH, O=strongSwan", "C=DE", "C=CH, O=strongSwan", FALSE },
+ 	{ NULL, "C=CH", "C=CH, O=strongSwan", FALSE },
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 85fd95d6b8..41a4de845f 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
            file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
            file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
+           file://constraints-Case-insensitive-matching-and-reject-exc.patch \
            "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"

From patchwork Tue Jun  9 08:31:03 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nitin Wankhade <nitin.wankhade333@gmail.com>
X-Patchwork-Id: 89524
Return-Path: <nitin.wankhade333@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 19D8ACD8CAC
	for <webhook@archiver.kernel.org>; Tue,  9 Jun 2026 08:32:43 +0000 (UTC)
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.74586.1780993961786216550
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:41 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=US0VQTgX;
 spf=pass (domain: gmail.com, ip: 209.85.216.44,
 mailfrom: nitin.wankhade333@gmail.com)
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-36bb6d54a56so619336a91.2
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780993961; x=1781598761;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=YpTzRwOH1EQhfAkEgDqEkq7TbNCOKccd5uRm/JYnFOs=;
        b=US0VQTgX7kkD6w0N57tBYz1d55yQ0kGJ/6zmlp25MIFN3zsJ1+CrRPLkiq83Xh49Pi
         3MXiHYMPyGMeB1pafDQGND5t9PeajsyZdl0v4K2maZ85KnYv0Cq7VDQXFdgVU5IPE1r3
         IYShTqM43SyaI5GAgo1DzakdRPTAhg2A2wSGTNs0bqxKMqZA3aQdm88C4ormluibUSq5
         8DRXia113L8mh+iktSAumcq71FD7ninRQbO5nUIOzGkpVNYZ40HA4j+AYwQVm9lhwQ6a
         LgTHPbK+RPd34p0+sk78cnVEWj/KbQiEGk+SMWTc95F3sd/mKGGtRRveq5LoEU9p+WUW
         kpTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780993961; x=1781598761;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=YpTzRwOH1EQhfAkEgDqEkq7TbNCOKccd5uRm/JYnFOs=;
        b=SPxKs8rL95ar8Hp67m0NjIzWcdtYPTZq9BJmIOGJDSAEjCdT2rK0ELgeqz3yx0D9gA
         sk+4CsNhA0sJb0N9CfIiXiT5EqfAiPbHtjpDwjgdrLJVk8ySEGwB6o3yWDg4SYRQwz6G
         PWqhk9urGpkpaMBt+gsh9ycRa4tl5iRWy/ZYGjvspVwjl58SGu8n2KqAezH+ua65vnEt
         +hRe/96dV/liFdb/qJsP7dyiNNMKj10kOjxQNzCQqQRdQDu9vX8vAgrCVnOnD6zFTCkt
         ozSm6jXI8j2gW7qPia4GjUJiDivuvomCybCC8mnrlfz6jQEe9tGDKDcouzWARBO2c/QM
         VueA==
X-Gm-Message-State: AOJu0Yzck3yFMyceziO0hLWfYPssgqa+/jIjcsR8MngXQKEqfzmQskc5
	FwVQvRj7CHbTc9mTMFL58OEfOLOT+3qSZ25opngUEZ6Bs+xMDo+n4OLJCUl9onvogl6Pcw==
X-Gm-Gg: Acq92OEBpygO35BOq5W/TaQ3cIuDqbGojBRzXqfMozuUeh/LE4yluDT9dzliXtIt8gy
	U0HH9q9+8HtAODbyc2XvDh5x0YN4hBR2CGI2jhhg/dcFe3FPM014tH0Qy0SRu3tmg05r/ogHmxi
	G0BQDDJ1H366MfPKlHYIsEws7rONcMkezREsgh+vqcvlBeVKTOQq9G8kGEVYh6WUMOQ3Kt6qCWm
	BG5JcPBEPuScApFsix1gWze6o+yGPYD7BOkMKKSJP2FuuBjCBIAOyDddFofUL9DpgtftCHENpW2
	CyRgwPeRIRUdd27n94GhL5y3Q7duK4V7mcp59X/l8i0EZoymwotQAr9zc0gKYGrx/Y1FCjpDJ6+
	GwYxYiIH4nDzyjp2k/gVB7S2Vx1dfSXS00KBYaVz2FJ8Ztc0U+9K3ymHyR5aEtwNCWotKJXU5av
	QJ6UozGNFUHyCiWZBpaHvjDxdvg+CvFUlBx91yXm5XgzUEuA8/N2T4HmnP99+URw==
X-Received: by 2002:a17:90b:3512:b0:365:d912:a4ad with SMTP id
 98e67ed59e1d1-370ec0f4371mr9402150a91.0.1780993961142;
        Tue, 09 Jun 2026 01:32:41 -0700 (PDT)
Received: from L-15597L.www.tendawifi.com ([36.255.86.178])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6bf903fasm18196212a91.2.2026.06.09.01.32.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 01:32:40 -0700 (PDT)
From: Nitin Wankhade <nitin.wankhade333@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Nitin.Wankhade@kpit.com
Subject: [OE-core][scarthgap][PATCH 5/6] strongswan: Fix CVE-2026-35332
Date: Tue,  9 Jun 2026 14:01:03 +0530
Message-Id: <20260609083104.869512-5-nitin.wankhade333@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
References: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 09 Jun 2026 08:32:43 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127442

Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
---
 ...accept-non-empty-ECDH-public-keys-wi.patch | 51 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch

diff --git a/meta-networking/recipes-support/strongswan/strongswan/tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch
new file mode 100644
index 0000000000..054d34933f
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch
@@ -0,0 +1,51 @@
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 20 Mar 2026 17:38:07 +0100
+Subject: tls-server: Only accept non-empty ECDH public keys with TLS < 1.3
+
+This prevents a crash due to a null-pointer dereference when processing
+an empty ECDH public key.
+
+The previous length check only applied in the `!ec` case, so in the `ec`
+case, the access to `pub.ptr[0]` was unguarded.  If a crafted TLS
+record ends with an empty ClientKeyExchange, then `read_data8` sets
+`pub` to `chunk_empty`, causing a null-pointer dereference.
+
+Note that if some data follows the empty ClientKeyExchange, this just
+causes a 1-byte out-of-bounds read that has no further effect as the
+TLS session is aborted immediately.  Either because the read value
+doesn't equal TLS_ANSI_UNCOMPRESSED or because the empty public key
+is rejected by `set_public_key()`.
+
+The referenced commit that introduced the pointer access, added the
+check for `pub.len` specifically to the `!ec` case, while the pointer
+access was initially unconditional (probably because the code was just
+copied from `tls_peer.c` which processes ECDH public keys in a separate
+function, so there was no `ec` flag).  The latter was fixed a couple of
+days later with 7b3c01845f63 ("Read the compression type byte for EC
+groups, only").  However, that commit didn't change the length check.
+Anyway, it's possible that the original intention was to add the check
+to the `ec` case on the previous line, or that there was some confusion
+with the parenthesis and something like the current code was intended to
+begin with.
+
+Fixes: e6cce7ff0d1b ("Prepend point format to ECDH public key")
+Fixes: CVE-2026-35332
+
+CVE: CVE-2026-35332
+Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Patch is refreshed as per the source code version 5.9.14
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+===
+diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
+index 7b2238e..bffc01c 100644
+--- a/src/libtls/tls_server.c
++++ b/src/libtls/tls_server.c
+@@ -857,7 +857,7 @@ static status_t process_key_exchange_dhe(private_tls_server_t *this,
+ 	group = this->dh->get_method(this->dh);
+ 	ec = key_exchange_is_ecdh(group);
+ 	if ((ec && !reader->read_data8(reader, &pub)) ||
+-		(!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
++		(!ec && !reader->read_data16(reader, &pub)) || pub.len == 0)
+ 	{
+ 		DBG1(DBG_TLS, "received invalid Client Key Exchange");
+ 		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 41a4de845f..f65a94dd73 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
            file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
            file://constraints-Case-insensitive-matching-and-reject-exc.patch \
+           file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \
            "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"

From patchwork Tue Jun  9 08:31:04 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Nitin Wankhade <nitin.wankhade333@gmail.com>
X-Patchwork-Id: 89526
Return-Path: <nitin.wankhade333@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3FA98CD8CBD
	for <webhook@archiver.kernel.org>; Tue,  9 Jun 2026 08:32:53 +0000 (UTC)
Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com
 [209.85.216.52])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.74587.1780993964917257903
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:45 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=GoqwkN89;
 spf=pass (domain: gmail.com, ip: 209.85.216.52,
 mailfrom: nitin.wankhade333@gmail.com)
Received: by mail-pj1-f52.google.com with SMTP id
 98e67ed59e1d1-36ba9f46338so491453a91.0
        for <openembedded-devel@lists.openembedded.org>;
 Tue, 09 Jun 2026 01:32:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780993964; x=1781598764;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=E94OcaG/txVMDuAaz5vPQQotLthU8TmGgxe1PkypQXI=;
        b=GoqwkN89AxfpVaTlmiqwdOw/1XeB8kKo952u97EG8P3N2SLamJ6ie0HFVBZ6kdPzEk
         xiaDIanpBQLtq2b9B1NkfBgSm/8WXNZVMatDUF7SRzaV/5v2NW0pnHC8tI93e/CwQnxQ
         eWvSW3djsiexyjz8hYeKk4s5RnRpMkpSvi2M0UfmIOumvdyC9Cf/voj8eTxs+pR9kTZ/
         yLt0quW4LPEm35nuTO/8MHwYqnzWUXXtX7RmYdHJDbAfOJYNhtZYAF3juYU7F1zhJlvJ
         1GhFIA1nVTzv3EjML3CnV8LzeQ8cL0nKkPkGy+Eg361Y6EMZpoOPpgR2bDRmclks9Fnb
         kL7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780993964; x=1781598764;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=E94OcaG/txVMDuAaz5vPQQotLthU8TmGgxe1PkypQXI=;
        b=Y8QyLy5udzpOYDqzMYz3FOcyX/i2Wab0hEDRVW7H/lEcPZWa6sx9NGkrvTm0zJjNZf
         3UMx4Y18Wn8cTEGhlxra6uBpVp/8UO3LvQ629f6k9igKDabVYMazldUAOTXMOx8NlV+r
         Y/9JteeSl5Vv13PYsAjZFcKNUma9uA6wvEuVN8SgElwB0PVXSmc7stqz/MC4Sx09lMgN
         YXdgQCNHkObHbh02CCHx1R+TW6Vk+UL3VhKE4i16v55V42s9IpxOYXx85rBafeTcSpJ6
         qEU/BGbCNfgDlzmIwEJK3x1Gsif0M3FMxeaXbGFmA0wF6rloeXVIl+vwHIeI13mccz9l
         gDUA==
X-Gm-Message-State: AOJu0Yxt0XafVYXk+aBrOiYMhiPAgaKLVWL/cYS/CbOPHuwn6JfhbVmX
	lZTP7JBEXYkeo+c0dw65RlHJhQuLA9cjMnAwA72QtbLiaOJhQYprDZwG/12u6LXici4ctA==
X-Gm-Gg: Acq92OGAlcoIBJOrfzFmzUKCrDDS0ztlWvZ1j2nO9W2hxZPDi4XwPOxgcEFHeiI0GFT
	VRNHOIVrzQTepYsaFZz18np1iCcKizga/PW3S4Ke8EXKc3NCajafLpwBrFCC27rkotHKHmxn/1h
	VIYWj0913Ml26MYK82zWdPXbbs69Qpcb2iknl77g2EGnP3N7lUviKIQlfiG2e71TfMoo0pCgcC8
	Ndp+6QS9qg81+6y1U6S7demRIN2W7OtY5uYtrawUWIDb5uAhUYzf+3GrAMIU6Eb5NJHs+m3TSkN
	+NFFjYyMhEm5YcPTKpr5HQjCzaXWJf94pprE47JWIY2tAx5VxKLb46kwt8qJxLu6wEv6rgina44
	Q75q269ny8aWUQlhHm/qNFnrfDhGpATBtU1ACoGfhp2mSn+hDnsh5c2IvJz9ilkx980DCGx+myC
	n47vKoxnzborQeC260Rjqvj8sX+JlcTmJO7FH4PXIWpALivYAkLoaCLnTOZGIBQA==
X-Received: by 2002:a17:90b:538b:b0:36d:f28a:c5e2 with SMTP id
 98e67ed59e1d1-370f1eec20amr10451336a91.8.1780993964298;
        Tue, 09 Jun 2026 01:32:44 -0700 (PDT)
Received: from L-15597L.www.tendawifi.com ([36.255.86.178])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-36f6bf903fasm18196212a91.2.2026.06.09.01.32.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 09 Jun 2026 01:32:43 -0700 (PDT)
From: Nitin Wankhade <nitin.wankhade333@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Nitin.Wankhade@kpit.com
Subject: [OE-core][scarthgap][PATCH 6/6] strongswan: Fix CVE-2026-35333
Date: Tue,  9 Jun 2026 14:01:04 +0530
Message-Id: <20260609083104.869512-6-nitin.wankhade333@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
References: <20260609083104.869512-1-nitin.wankhade333@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 09 Jun 2026 08:32:53 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127443

Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
---
 ...-undersized-attributes-in-enumerator.patch | 41 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch

diff --git a/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch b/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch
new file mode 100644
index 0000000000..0233ebf6aa
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch
@@ -0,0 +1,41 @@
+From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <research@johannes-moeller.dev>
+Date: Thu, 12 Mar 2026 10:24:45 +0000
+Subject: libradius: Reject undersized attributes in enumerator
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+attribute_enumerate() accepts RADIUS attributes whose length byte is
+smaller than sizeof(rattr_t) (2).  For length == 0, the iterator never
+advances and traps callers — including verify() — in a non-advancing
+loop.  For length == 1, misaligned packed-struct reads occur.
+
+Add a separate check for this->next->length < sizeof(rattr_t) after
+the existing truncation guard.  This mirrors radius_message_parse(),
+which already distinguishes invalid length from truncation.
+
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk")
+Fixes: CVE-2026-35333
+
+CVE: CVE-2026-35333
+Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+===
+diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
+index 8e2db0c..2bbbb48 100644
+--- a/src/libradius/radius_message.c
++++ b/src/libradius/radius_message.c
+@@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool,
+ 		DBG1(DBG_IKE, "RADIUS message truncated");
+ 		return FALSE;
+ 	}
++	if (this->next->length < sizeof(rattr_t))
++	{
++                DBG1(DBG_IKE, "RADIUS attribute has invalid length");
++                return FALSE;
++       }
+ 	*type = this->next->type;
+ 	data->ptr = this->next->value;
+ 	data->len = this->next->length - sizeof(rattr_t);
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index f65a94dd73..661727e501 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
            file://constraints-Case-insensitive-matching-and-reject-exc.patch \
            file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \
+           file://libradius-Reject-undersized-attributes-in-enumerator.patch \
            "
 
 SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"