On Sat, 2023-03-18 at 09:04 +0100, Sebastian Ramacher wrote: > Could you please provide a diff between testing und unstable? Thanks Sure, here it is. -- Yves-Alexis
diff --git a/debian/changelog b/debian/changelog index 0c44889a4f..d652c79fa1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +strongswan (5.9.8-5) unstable; urgency=medium + + * No-change upload for source-only upload. + + -- Yves-Alexis Perez <corsac@debian.org> Fri, 03 Mar 2023 18:56:58 +0100 + +strongswan (5.9.8-4) unstable; urgency=medium + + * d/patches: libtls-Fix-authentication-bypass-and-expired-pointer added. + Fix authentication bypass and use-after-free in libtls (CVE-2023-26463) + * d/control: replace lsb-base dependency by sysvinit-utils + * d/control: update standards version to 4.6.2 + + -- Yves-Alexis Perez <corsac@debian.org> Sun, 26 Feb 2023 09:40:09 +0100 + strongswan (5.9.8-3) unstable; urgency=medium * d/tests: also drop _copyright test since the util is gone as well diff --git a/debian/control b/debian/control index 8d79682193..3035fc5818 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: net Priority: optional Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> Uploaders: Yves-Alexis Perez <corsac@debian.org> -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/debian/strongswan Vcs-Git: https://salsa.debian.org/debian/strongswan.git Build-Depends: bison, @@ -209,7 +209,7 @@ Architecture: any Pre-Depends: ${misc:Pre-Depends} Depends: adduser, libstrongswan (= ${binary:Version}), - lsb-base (>= 3.0-6), + sysvinit-utils (>= 3.05-3), ${misc:Depends}, ${shlibs:Depends} Recommends: strongswan-charon diff --git a/debian/gbp.conf b/debian/gbp.conf index 48731a6968..b872cdb2e8 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,4 +1,4 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master -upstream-branch = upstream/latest +debian-branch = debian/bookworm +upstream-branch = upstream/bookworm diff --git a/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch b/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch new file mode 100644 index 0000000000..5826e2e64a --- /dev/null +++ b/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch @@ -0,0 +1,43 @@ +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 17 Feb 2023 15:07:20 +0100 +Subject: libtls: Fix authentication bypass and expired pointer dereference + +`public` is returned, but previously only if a trusted key was found. +We obviously don't want to return untrusted keys. However, since the +reference is released after determining the key type, the returned +object also doesn't have the correct refcount. + +So when the returned reference is released after verifying the TLS +signature, the public key object is actually destroyed. The certificate +object then points to an expired pointer, which is dereferenced once it +itself is destroyed after the authentication is complete. Depending on +whether the pointer is valid (i.e. points to memory allocated to the +process) and what was allocated there after the public key was freed, +this could result in a segmentation fault or even code execution. + +Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type") +Fixes: CVE-2023-26463 +--- + src/libtls/tls_server.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c +index c9c3009..573893f 100644 +--- a/src/libtls/tls_server.c ++++ b/src/libtls/tls_server.c +@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id) + cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); + if (cert) + { +- public = cert->get_public_key(cert); +- if (public) ++ current = cert->get_public_key(cert); ++ if (current) + { +- key_type = public->get_type(public); +- public->destroy(public); ++ key_type = current->get_type(current); ++ current->destroy(current); + } + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + key_type, id, peer_auth, TRUE); diff --git a/debian/patches/series b/debian/patches/series index 3bd034cee4..488dca9c13 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 03_systemd-service.patch 04_disable-libtls-tests.patch dont-load-kernel-libipsec-plugin-by-default.patch +0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch
Attachment:
signature.asc
Description: This is a digitally signed message part