From: Vijay Anusuri <[email protected]> Pick patch according to [1]
[1] https://download.strongswan.org/security/CVE-2026-25075/ [2] https://www.strongswan.org/blog/2026/03/23/strongswan-vulnerability-(cve-2026-25075).html Signed-off-by: Vijay Anusuri <[email protected]> --- .../strongswan/files/CVE-2026-25075.patch | 50 +++++++++++++++++++ .../strongswan/strongswan_5.9.13.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2026-25075.patch diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2026-25075.patch b/meta-networking/recipes-support/strongswan/files/CVE-2026-25075.patch new file mode 100644 index 0000000000..3b38a099a2 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2026-25075.patch @@ -0,0 +1,50 @@ +From d4b3c39776f06948d875614a0eddea9561159f2a Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <[email protected]> +Date: Thu, 5 Mar 2026 12:43:12 +0100 +Subject: [PATCH] eap-ttls: Prevent crash if AVP length header field is invalid + +The length field in the AVP header includes the 8 bytes of the header +itself. Not checking for that and later subtracting it causes an +integer underflow that usually triggers a crash when accessing a +NULL pointer that resulted from the failing chunk_alloc() call because +of the high value. + +The attempted allocations for invalid lengths (0-7) are 0xfffffff8, +0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result +in a buffer overflow even if the allocation succeeds. + +Fixes: 79f2102cb442 ("implemented server side support for EAP-TTLS") +Fixes: CVE-2026-25075 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2026-25075/strongswan-4.5.0-6.0.4_eap_ttls_avp_len.patch] +CVE: CVE-2026-25075 +Signed-off-by: Vijay Anusuri <[email protected]> +--- + src/libcharon/plugins/eap_ttls/eap_ttls_avp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c +index 06389f7..2983bd0 100644 +--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c ++++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c +@@ -119,7 +119,7 @@ METHOD(eap_ttls_avp_t, process, status_t, + chunk_free(&this->input); + this->inpos = 0; + +- if (!success) ++ if (!success || avp_len < AVP_HEADER_LEN) + { + DBG1(DBG_IKE, "received invalid AVP header"); + return FAILED; +@@ -130,7 +130,7 @@ METHOD(eap_ttls_avp_t, process, status_t, + return FAILED; + } + this->process_header = FALSE; +- this->data_len = avp_len - 8; ++ this->data_len = avp_len - AVP_HEADER_LEN; + this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4); + } + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bb index 4c10636871..6a2b219275 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bb @@ -10,6 +10,7 @@ DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://CVE-2025-62291.patch \ + file://CVE-2026-25075.patch \ " SRC_URI[sha256sum] = "56e30effb578fd9426d8457e3b76c8c3728cd8a5589594b55649b2719308ba55" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#125956): https://lists.openembedded.org/g/openembedded-devel/message/125956 Mute This Topic: https://lists.openembedded.org/mt/118628577/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
