X-Original-To: alpine-aports@mail.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id E189FDC24E1 for ; Wed, 2 Dec 2015 20:12:40 +0000 (UTC) Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 8F48BDC07A1 for ; Wed, 2 Dec 2015 20:12:40 +0000 (UTC) Received: by wmww144 with SMTP id w144so72620624wmw.0 for ; Wed, 02 Dec 2015 12:12:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kampka-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=SpzXytxYl3jUT/z5q3muzV4G6JUbrj2m8Y8aZPbvO/o=; b=FESKeUyrwVCgT4S5glzZnnCT9GF/bZbLvK9DTAtDBmu3xhzpBXOXIz+tvi0pmJH4hX Q9QFTkMTnlnkLUENXU7zyzgjsedzuOkUgS9vYh3YntLS1nU4KGn1yhSpV1kTPRWM0DE8 kEjV/ORstTuCWAb3MMz0JsyJG58KZN2PdJNzHYfSMio8PTQgrKbFFFir/0p5ghbN02lw a01P0Qb2wnxXst1XQkhZ822gW2BYqtlzyfG1/mDG1Z+jmkJEBL3MpHL/xpHYPlv9003a X0MYYiz/PKZt77oab064clK5446FG6h/uA2Va8R84dLFplIcRyK8uUL+CCbDgE0Gzzsc 097w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=SpzXytxYl3jUT/z5q3muzV4G6JUbrj2m8Y8aZPbvO/o=; b=P1pQHsZ6jZUjb/bc49VinXzfvrgdV1KgI3R1FWLWilQr0zaxAvWyJa3DDLhjUOj/z0 KaWGzTUCky8lNchAAuZw4Q+VmMpVsrSlfY3WuMRk+Bjfh8jII0bG7yLVtX6z16fDq3Iu O1sVvSRD4RyJo+iG5H7NAK3zyZL9iuW368mtbjV/svmadWSwxv10Gv9fAQOJ8hThAT8c MlpJXtMkjzmN01QBm9/hV57S0ODP0pXJKFE3G4tc4ScvNhXPz5vs+EQHWkg0RqRizUr5 lI8hinxCitztJwJDQ6jaymt1OGE+9l6u+HSbCyoHxS3b2fU/RmMtjoN8zBO9kjvAw7I3 KNXw== X-Gm-Message-State: ALoCoQniBs0aJhRihwNRgpKeaCBhZY6errD1VQp4Neq5KozEjW6XvsOMBQUbfY2ICg7cTD5O/FFx X-Received: by 10.28.94.1 with SMTP id s1mr1326369wmb.60.1449087158942; Wed, 02 Dec 2015 12:12:38 -0800 (PST) Received: from localhost (pD9579EF6.dip0.t-ipconnect.de. [217.87.158.246]) by smtp.gmail.com with ESMTPSA id he3sm4284203wjc.25.2015.12.02.12.12.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Dec 2015 12:12:37 -0800 (PST) From: Christian Kampka To: alpine-aports@lists.alpinelinux.org Cc: Christian Kampka Subject: [alpine-aports] [PATCH 3.1-stable] main/strongswan: security fix CVE-2015-8023 Date: Wed, 2 Dec 2015 21:12:35 +0100 Message-Id: <1449087155-10658-1-git-send-email-christian@kampka.net> X-Mailer: git-send-email 2.6.2 X-Virus-Scanned: ClamAV using ClamSMTP X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: fixes #4878 --- main/strongswan/APKBUILD | 6 +++++- main/strongswan/CVE-2015-8023.patch | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 main/strongswan/CVE-2015-8023.patch diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 26c649f..5e72ff1 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa pkgname=strongswan pkgver=5.2.2 -pkgrel=0 +pkgrel=1 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -13,6 +13,7 @@ makedepends="$depends_dev" install="" subpackages="$pkgname-doc" source="http://download.strongswan.org/$pkgname-$pkgver.tar.bz2 + CVE-2015-8023.patch strongswan.initd" _builddir="$srcdir/$pkgname-$pkgver" @@ -91,8 +92,11 @@ package() { } md5sums="7ee1a33060b2bde35be0f6d78a1d26d0 strongswan-5.2.2.tar.bz2 +ad2433a351cf491f60f587d4895b0ad2 CVE-2015-8023.patch fb9822512d02f521af8812db22a5175e strongswan.initd" sha256sums="cf2fbfdf200a5eced796f00dc11fea67ce477d38c54d5f073ac6c51618b172f4 strongswan-5.2.2.tar.bz2 +a3ed08c7fc2a7d5876109b9c561e0412b917708921a966a9c79de62db10a9881 CVE-2015-8023.patch e4add8941d545930bba43d7d3af302bc436d7c0264a2796480226567e2b12e54 strongswan.initd" sha512sums="80ae5551d16e8ddcff71426c1ec996388f32cec8a027f722e8f5151cdd67f09d65705a702ff8c3f2702dca6470e525eb2af2459f7ced9d5923570a331491d534 strongswan-5.2.2.tar.bz2 +c4306f57a24563c4c8fd9d6d7c4bf579433d0b98462058b811265cc918a44e105d4ac08d830d025fcff1d43dcc96f8eb3c3651d2ee50978586fa2f9f0087a99b CVE-2015-8023.patch 2f2936865e494a9454329867acfb71ca323f90dec526a97f7d0c18422deb54205f81f9f592ed6c3b474fe5e954ebcb90eed0311e52fa3a86a982d80ba9a45be8 strongswan.initd" diff --git a/main/strongswan/CVE-2015-8023.patch b/main/strongswan/CVE-2015-8023.patch new file mode 100644 index 0000000..e519a1f --- /dev/null +++ b/main/strongswan/CVE-2015-8023.patch @@ -0,0 +1,34 @@ +From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 29 Oct 2015 11:18:27 +0100 +Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was + established + +An MSK is only established if the client successfully authenticated +itself and only then must we accept an MSCHAPV2_SUCCESS message. + +Fixes CVE-2015-8023 +--- + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +index f7f39f9841d2..931e3c41dde4 100644 +--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c ++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t, + } + case MSCHAPV2_SUCCESS: + { +- return SUCCESS; ++ if (this->msk.ptr) ++ { ++ return SUCCESS; ++ } ++ break; + } + case MSCHAPV2_FAILURE: + { +-- +1.9.1 + -- 2.6.2 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---