X-Original-To: alpine-aports@mail.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 99687DC24E1 for ; Wed, 2 Dec 2015 19:45:20 +0000 (UTC) Received: from mail-wm0-f42.google.com (mail-wm0-f42.google.com [74.125.82.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 0A9CBDC07A1 for ; Wed, 2 Dec 2015 19:45:19 +0000 (UTC) Received: by wmww144 with SMTP id w144so71637336wmw.0 for ; Wed, 02 Dec 2015 11:45:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kampka-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=sjoJjt4L2iir1uvP13XN6tTfD0i+/NRAi9SKd/U0Mkc=; b=qnhDE2dq/V8FhwO80M0GGrQyQwRqIOej8zQ6It4mzDznyIlbOWVjTxseXAaiton1Gc OcJe8moBQoV+B3ssg55Qja/ueC1V+u/o/87AqEifzpxpVkFQNBuprKB3JqQPnj6iMjtO cuDz+x5X3lDSgdky56BcgfTJsJR6hjr6/Gg706cCfovYGXbR3PDy4UdWxBBcM4cNH9ko zj4ISsqkvn+bmo29W8koo4sD/ICjDExT/JZyItIex9r2kMSHMFMNTwe+BSgMqVhrohm3 gDK3SkaAfHbg5ZqraGTNrOXfY2aDK7ymLYKvznilUUrVBOYmwPS1nrcGW3t0shkVdrO4 CRWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=sjoJjt4L2iir1uvP13XN6tTfD0i+/NRAi9SKd/U0Mkc=; b=b8hQjfXqUjgIvYM4m+HrHH99Urn0mKxLSGNuYe8Q8pvX2jx5QcBYiNTiBeCFLNgt8Q fw9aeDdtC48sN+9INFX1QrNsaG+H65hwUi9q1GR++ZbFvauFQ3fVAE58MNc1xVKnT2Cj JAZDjJAsaoPERnJTOFh6ewuMnnYP0xQ8KArnJciHhIjGiDs85ptRh7jzcGYbGnBQYsAH obTMUZVNmMUo8kI5PljL2jZFBUi1AVFNQ/zstAJ7P5zfhUwdqlMZXV7b7WDmWtxDBj/J umde9O066dHxMRfbwSLhiKRfSe/T0epI+VFGayAvdrvNlNWvdHHpDCqg9tXu3wj3wr1M rSqQ== X-Gm-Message-State: ALoCoQl5BJjos7qHV3DpbLEDJBR8L8Ze7vyWN5xEUkPQDy/sC/8B1u5GLVDGV2+pfk6T2AvNBqAN X-Received: by 10.194.108.103 with SMTP id hj7mr7473261wjb.143.1449085518207; Wed, 02 Dec 2015 11:45:18 -0800 (PST) Received: from localhost (pD9579EF6.dip0.t-ipconnect.de. [217.87.158.246]) by smtp.gmail.com with ESMTPSA id t194sm32240341wmt.11.2015.12.02.11.45.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Dec 2015 11:45:17 -0800 (PST) From: Christian Kampka To: alpine-aports@lists.alpinelinux.org Cc: Christian Kampka Subject: [alpine-aports] [PATCH 2.7-stable] main/strongswan: security fix CVE-2015-8023 Date: Wed, 2 Dec 2015 20:45:09 +0100 Message-Id: <1449085509-29629-1-git-send-email-christian@kampka.net> X-Mailer: git-send-email 2.6.2 X-Virus-Scanned: ClamAV using ClamSMTP X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: fixes #4880 --- main/strongswan/APKBUILD | 6 +++++- main/strongswan/CVE-2015-8023.patch | 31 +++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 main/strongswan/CVE-2015-8023.patch diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 084f4c4..6078041 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa pkgname=strongswan pkgver=5.1.3 -pkgrel=0 +pkgrel=1 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -13,6 +13,7 @@ makedepends="$depends_dev" install="" subpackages="$pkgname-doc" source="http://download.strongswan.org/$pkgname-$pkgver.tar.bz2 + CVE-2015-8023.patch strongswan.initd" _builddir="$srcdir/$pkgname-$pkgver" @@ -88,8 +89,11 @@ package() { } md5sums="1d1c108775242743cd8699215b2918c3 strongswan-5.1.3.tar.bz2 +60c0ed05e7d9b456ec6cc2a7b9c8d58c CVE-2015-8023.patch fb9822512d02f521af8812db22a5175e strongswan.initd" sha256sums="84e46d5ce801e1b874e2bfba8d21dbd78b432e23b7fb1f4f2d637359e7a183a8 strongswan-5.1.3.tar.bz2 +66ae42b1b1a8f23b840237089dd6d23a208f2d4db19a9ea6384ac4ef66588229 CVE-2015-8023.patch e4add8941d545930bba43d7d3af302bc436d7c0264a2796480226567e2b12e54 strongswan.initd" sha512sums="05f4afbf778de54c593692a8117a5fae05c0539cdb7545bc53657deb32d09bec7e0aef07d509dc682af15d57adf569242715447bc1a87785c1f80a21076cb8cb strongswan-5.1.3.tar.bz2 +e1074e516b42fe1a693a80bd3cf4f3c83d004d2e82f25bbd34057fca2547af1d6b3eb7f25211362b5cbad2f71f8d511585bcea43d4a4af8d27738516a0d29765 CVE-2015-8023.patch 2f2936865e494a9454329867acfb71ca323f90dec526a97f7d0c18422deb54205f81f9f592ed6c3b474fe5e954ebcb90eed0311e52fa3a86a982d80ba9a45be8 strongswan.initd" diff --git a/main/strongswan/CVE-2015-8023.patch b/main/strongswan/CVE-2015-8023.patch new file mode 100644 index 0000000..22f96ca --- /dev/null +++ b/main/strongswan/CVE-2015-8023.patch @@ -0,0 +1,31 @@ +From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 29 Oct 2015 11:18:27 +0100 +Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was + established + +An MSK is only established if the client successfully authenticated +itself and only then must we accept an MSCHAPV2_SUCCESS message. + +Fixes CVE-2015-8023 +--- + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: strongswan-5.1.2/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +=================================================================== +--- strongswan-5.1.2.orig/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c 2015-11-11 07:57:22.132300446 -0500 ++++ strongswan-5.1.2/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c 2015-11-11 07:57:22.132300446 -0500 +@@ -1141,7 +1141,11 @@ + } + case MSCHAPV2_SUCCESS: + { +- return SUCCESS; ++ if (this->msk.ptr) ++ { ++ return SUCCESS; ++ } ++ break; + } + case MSCHAPV2_FAILURE: + { -- 2.6.2 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---