Details: https://nvd.nist.gov/vuln/detail/CVE-2025-62291
Pick the patch that is mentioned on the vendor's blog[1], that is also referenced in the NVD report. [1]: https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../strongswan/CVE-2025-62291.patch | 45 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 3 +- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch diff --git a/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch b/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch new file mode 100644 index 0000000000..df5568235e --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/CVE-2025-62291.patch @@ -0,0 +1,45 @@ +From 8412dbb2dc054191b03df8e7fbc3dd8bf4c10be3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <[email protected]> +Date: Thu, 9 Oct 2025 11:33:45 +0200 +Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on + the client + +For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes +`message_len` to become negative, which is then used in calls to malloc() +and memcpy() that both take size_t arguments, causing an integer +underflow. + +For 6 and 7, the huge size requested from malloc() will fail (it exceeds +PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation +fault in memcpy(). + +However, for 8, the allocation is 0, which succeeds. But then the -1 +passed to memcpy() causes a heap-based buffer overflow (and possibly a +segmentation fault when attempting to read/write that much data). +Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g. +Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer +overflow and causes the daemon to get aborted immediately instead. + +Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2") +Fixes: CVE-2025-62291 + +CVE: CVE-2025-62291 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/c687ada6a6f68913651e355fd09f906893096b32] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +index 1bb54c8..9ad509a 100644 +--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c ++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, + data = in->get_data(in); + eap = (eap_mschapv2_header_t*)data.ptr; + +- if (data.len < 3) /* we want at least an error code: E=e */ ++ if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */ + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index 2e2da8274b..4592381a36 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -9,7 +9,8 @@ DEPENDS = "flex-native flex bison-native" DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ - " + file://CVE-2025-62291.patch \ + " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123789): https://lists.openembedded.org/g/openembedded-devel/message/123789 Mute This Topic: https://lists.openembedded.org/mt/117421626/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
