Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/8dae5605a79666c6def907efd8c872c91d93de5b] [https://github.com/strongswan/strongswan/commit/4da84019ccec87fea161797af2901244fa5f170e]
Signed-off-by: Nitin Wankhade <[email protected]> --- ...d-NULL-pointer-dereference-when-veri.patch | 58 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 59 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch diff --git a/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch b/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch new file mode 100644 index 0000000000..c2e730bc54 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch @@ -0,0 +1,58 @@ +From: Tobias Brunner <[email protected]> +Date: Wed, 25 Mar 2026 10:28:45 +0100 +Subject: pkcs5/pkcs7: Avoid NULL pointer dereference when verifying padding + +Can be triggered via empty PKCS#7 encrypted- or enveloped-data content +in IKEv1 CERT payload. + +Fixes: 4076e3ee9121 ("Extract PKCS#5 handling from pkcs8 plugin to separate helper class") +Fixes: d7aa09104f08 ("Implement PKCS#7 enveloped-data parsing and decryption") +Fixes: CVE-2026-35329 + +CVE: CVE-2026-35329 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/8dae5605a79666c6def907efd8c872c91d93de5b] + [https://github.com/strongswan/strongswan/commit/4da84019ccec87fea161797af2901244fa5f170e] +Patch is refreshed as per the source code version 5.9.14 +Signed-off-by: Nitin Wankhade <[email protected]> +=== +diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c +index e48a9ad..134ccd3 100644 +--- a/src/libstrongswan/crypto/pkcs5.c ++++ b/src/libstrongswan/crypto/pkcs5.c +@@ -113,6 +113,11 @@ static bool verify_padding(crypter_t *crypter, chunk_t *blob) + { + uint8_t padding, count; + ++ if (!blob->len) ++ { ++ return FALSE; ++ } ++ + padding = count = blob->ptr[blob->len - 1]; + + if (padding > crypter->get_block_size(crypter)) +diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c +index 8b26bad..3d601d6 100644 +--- a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c ++++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c +@@ -182,10 +182,17 @@ static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid, + */ + static bool remove_padding(private_pkcs7_enveloped_data_t *this) + { +- u_char *pos = this->content.ptr + this->content.len - 1; +- u_char pattern = *pos; +- size_t padding = pattern; ++ u_char *pos, pattern; ++ size_t padding; + ++ if (!this->content.len) ++ { ++ return FALSE; ++ } ++ ++ pos = this->content.ptr + this->content.len - 1; ++ pattern = *pos; ++ padding = pattern; + if (padding > this->content.len) + { + DBG1(DBG_LIB, "padding greater than data length"); diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index 6fbc345923..ac4bc5380b 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -13,6 +13,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://CVE-2026-25075.patch \ file://CVE-2026-35334.patch \ file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \ + file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127447): https://lists.openembedded.org/g/openembedded-devel/message/127447 Mute This Topic: https://lists.openembedded.org/mt/119720009/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
