Upstream-Status: Backport 
[https://github.com/strongswan/strongswan/commit/8dae5605a79666c6def907efd8c872c91d93de5b]
                          
[https://github.com/strongswan/strongswan/commit/4da84019ccec87fea161797af2901244fa5f170e]

Signed-off-by: Nitin Wankhade <[email protected]>
---
 ...d-NULL-pointer-dereference-when-veri.patch | 58 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 
meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch

diff --git 
a/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch
 
b/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch
new file mode 100644
index 0000000000..c2e730bc54
--- /dev/null
+++ 
b/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch
@@ -0,0 +1,58 @@
+From: Tobias Brunner <[email protected]>
+Date: Wed, 25 Mar 2026 10:28:45 +0100
+Subject: pkcs5/pkcs7: Avoid NULL pointer dereference when verifying padding
+
+Can be triggered via empty PKCS#7 encrypted- or enveloped-data content
+in IKEv1 CERT payload.
+
+Fixes: 4076e3ee9121 ("Extract PKCS#5 handling from pkcs8 plugin to separate 
helper class")
+Fixes: d7aa09104f08 ("Implement PKCS#7 enveloped-data parsing and decryption")
+Fixes: CVE-2026-35329
+
+CVE: CVE-2026-35329
+Upstream-Status: Backport 
[https://github.com/strongswan/strongswan/commit/8dae5605a79666c6def907efd8c872c91d93de5b]
+                          
[https://github.com/strongswan/strongswan/commit/4da84019ccec87fea161797af2901244fa5f170e]
+Patch is refreshed as per the source code version 5.9.14
+Signed-off-by: Nitin Wankhade <[email protected]>
+===
+diff --git a/src/libstrongswan/crypto/pkcs5.c 
b/src/libstrongswan/crypto/pkcs5.c
+index e48a9ad..134ccd3 100644
+--- a/src/libstrongswan/crypto/pkcs5.c
++++ b/src/libstrongswan/crypto/pkcs5.c
+@@ -113,6 +113,11 @@ static bool verify_padding(crypter_t *crypter, chunk_t 
*blob)
+ {
+       uint8_t padding, count;
+ 
++      if (!blob->len)
++      {
++                return FALSE;
++       }
++
+       padding = count = blob->ptr[blob->len - 1];
+ 
+       if (padding > crypter->get_block_size(crypter))
+diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c 
b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
+index 8b26bad..3d601d6 100644
+--- a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
++++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
+@@ -182,10 +182,17 @@ static bool decrypt(private_key_t *private, chunk_t key, 
chunk_t iv, int oid,
+  */
+ static bool remove_padding(private_pkcs7_enveloped_data_t *this)
+ {
+-      u_char *pos = this->content.ptr + this->content.len - 1;
+-      u_char pattern = *pos;
+-      size_t padding = pattern;
++      u_char *pos, pattern;
++      size_t padding;
+ 
++      if (!this->content.len)
++       {
++              return FALSE;
++      }
++
++      pos = this->content.ptr + this->content.len - 1;
++      pattern = *pos;
++      padding = pattern;
+       if (padding > this->content.len)
+       {
+               DBG1(DBG_LIB, "padding greater than data length");
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb 
b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 6fbc345923..ac4bc5380b 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -13,6 +13,7 @@ SRC_URI = 
"https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://CVE-2026-25075.patch \
            file://CVE-2026-35334.patch \
            file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
+           file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
            "
 
 SRC_URI[sha256sum] = 
"728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127447): 
https://lists.openembedded.org/g/openembedded-devel/message/127447
Mute This Topic: https://lists.openembedded.org/mt/119720009/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to