On Tue, Jun 9, 2026 at 4:32 PM Nitin Wankhade via
lists.openembedded.org
<[email protected]> wrote:
>
> Upstream-Status: Backport 
> [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
>
> Signed-off-by: Nitin Wankhade <[email protected]>
> ---
>  ...nt-infinite-loop-if-supported-versio.patch | 42 +++++++++++++++++++
>  .../strongswan/strongswan_5.9.14.bb           |  1 +
>  2 files changed, 43 insertions(+)
>  create mode 100644 
> meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
>
> diff --git 
> a/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
>  
> b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
> new file mode 100644
> index 0000000000..32a23b3be1
> --- /dev/null
> +++ 
> b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
> @@ -0,0 +1,42 @@
> +From: Tobias Brunner <[email protected]>
> +Date: Wed, 25 Mar 2026 10:17:46 +0100
> +Subject: tls-server: Prevent infinite loop if supported versions are too
> + short
> +
> +If the extension doesn't contain a multiple of two bytes, the previous
> +code would get stuck in an infinite loop as `remaining()` continued to
> +return TRUE while `read_uint16()` failed to parse a value. Initiating
> +several connections with such an extension allows a DoS attack as no
> +threads would eventually be available to handle packets/events.
> +
> +Fixes: 7fbe2e27ecf6 ("tls-server: TLS 1.3 support for TLS server 
> implementation")
> +Fixes: CVE-2026-35328
> +
> +CVE: CVE-2026-35328
> +Upstream-Status: Backport 
> [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

For all patches in this series, can you please provide links to and
backport from upstream when possible instead of debian patch. In this
case, it is:

https://github.com/strongswan/strongswan/commit/56c7f0d13dffcfebf4255470e375234144d28134

> +Signed-off-by: Nitin Wankhade <[email protected]>
> +===
> +diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
> +index 3ad9fd2..7b2238e 100644
> +--- a/src/libtls/tls_server.c
> ++++ b/src/libtls/tls_server.c
> +@@ -471,15 +471,12 @@ static status_t 
> process_client_hello(private_tls_server_t *this,
> +               bio_reader_t *client_versions;
> +
> +               client_versions = bio_reader_create(versions);
> +-              while (client_versions->remaining(client_versions))
> ++              while (client_versions->read_uint16(client_versions, 
> &version))
> +               {
> +-                      if (client_versions->read_uint16(client_versions, 
> &version))
> ++                      if (this->tls->set_version(this->tls, version, 
> version))
> +                       {
> +-                              if (this->tls->set_version(this->tls, 
> version, version))
> +-                              {
> +-                                      this->client_version = version;
> +-                                      break;
> +-                              }
> ++                              this->client_version = version;
> ++                              break;
> +                       }
> +               }
> +               client_versions->destroy(client_versions);
> diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb 
> b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
> index 7cc67e4d92..6fbc345923 100644
> --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
> +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
> @@ -12,6 +12,7 @@ SRC_URI = 
> "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
>             file://CVE-2025-62291.patch \
>             file://CVE-2026-25075.patch \
>             file://CVE-2026-35334.patch \
> +           file://tls-server-Prevent-infinite-loop-if-supported-versio.patch 
> \
>             "
>
>  SRC_URI[sha256sum] = 
> "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
> --
> 2.34.1
>
>
> 
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127445): 
https://lists.openembedded.org/g/openembedded-devel/message/127445
Mute This Topic: https://lists.openembedded.org/mt/119719766/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to