Bug#1033075: unblock: strongswan/5.9.8-5

To: Sebastian Ramacher <sramacher@debian.org>, 1033075@bugs.debian.org
Subject: Bug#1033075: unblock: strongswan/5.9.8-5
From: Yves-Alexis Perez <corsac@debian.org>
Date: Sat, 18 Mar 2023 14:33:23 +0100
Message-id: <[🔎] 52e13b729690814b0c8f1f87e873150221b7abb9.camel@debian.org>
Reply-to: Yves-Alexis Perez <corsac@debian.org>, 1033075@bugs.debian.org
In-reply-to: <[🔎] ZBVweXnf+xDd5rDs@ramacher.at>
References: <[🔎] 167900180651.213351.11318657966946160082.reportbug@scapa> <[🔎] ZBVweXnf+xDd5rDs@ramacher.at> <[🔎] 167900180651.213351.11318657966946160082.reportbug@scapa>

On Sat, 2023-03-18 at 09:04 +0100, Sebastian Ramacher wrote:
> Could you please provide a diff between testing und unstable? Thanks

Sure, here it is.
-- 
Yves-Alexis

diff --git a/debian/changelog b/debian/changelog
index 0c44889a4f..d652c79fa1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+strongswan (5.9.8-5) unstable; urgency=medium
+
+  * No-change upload for source-only upload.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Fri, 03 Mar 2023 18:56:58 +0100
+
+strongswan (5.9.8-4) unstable; urgency=medium
+
+  * d/patches: libtls-Fix-authentication-bypass-and-expired-pointer added.
+    Fix authentication bypass and use-after-free in libtls (CVE-2023-26463)
+  * d/control: replace lsb-base dependency by sysvinit-utils
+  * d/control: update standards version to 4.6.2
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Sun, 26 Feb 2023 09:40:09 +0100
+
 strongswan (5.9.8-3) unstable; urgency=medium
 
   * d/tests: also drop _copyright test since the util is gone as well
diff --git a/debian/control b/debian/control
index 8d79682193..3035fc5818 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
 Priority: optional
 Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
 Uploaders: Yves-Alexis Perez <corsac@debian.org>
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/debian/strongswan
 Vcs-Git: https://salsa.debian.org/debian/strongswan.git
 Build-Depends: bison,
@@ -209,7 +209,7 @@ Architecture: any
 Pre-Depends: ${misc:Pre-Depends}
 Depends: adduser,
          libstrongswan (= ${binary:Version}),
-         lsb-base (>= 3.0-6),
+         sysvinit-utils (>= 3.05-3),
          ${misc:Depends},
          ${shlibs:Depends}
 Recommends: strongswan-charon
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 48731a6968..b872cdb2e8 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
-upstream-branch = upstream/latest
+debian-branch = debian/bookworm
+upstream-branch = upstream/bookworm
diff --git a/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch b/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch
new file mode 100644
index 0000000000..5826e2e64a
--- /dev/null
+++ b/debian/patches/0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch
@@ -0,0 +1,43 @@
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Feb 2023 15:07:20 +0100
+Subject: libtls: Fix authentication bypass and expired pointer dereference
+
+`public` is returned, but previously only if a trusted key was found.
+We obviously don't want to return untrusted keys.  However, since the
+reference is released after determining the key type, the returned
+object also doesn't have the correct refcount.
+
+So when the returned reference is released after verifying the TLS
+signature, the public key object is actually destroyed.  The certificate
+object then points to an expired pointer, which is dereferenced once it
+itself is destroyed after the authentication is complete.  Depending on
+whether the pointer is valid (i.e. points to memory allocated to the
+process) and what was allocated there after the public key was freed,
+this could result in a segmentation fault or even code execution.
+
+Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type")
+Fixes: CVE-2023-26463
+---
+ src/libtls/tls_server.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
+index c9c3009..573893f 100644
+--- a/src/libtls/tls_server.c
++++ b/src/libtls/tls_server.c
+@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id)
+ 	cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
+ 	if (cert)
+ 	{
+-		public = cert->get_public_key(cert);
+-		if (public)
++		current = cert->get_public_key(cert);
++		if (current)
+ 		{
+-			key_type = public->get_type(public);
+-			public->destroy(public);
++			key_type = current->get_type(current);
++			current->destroy(current);
+ 		}
+ 		enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+ 											key_type, id, peer_auth, TRUE);
diff --git a/debian/patches/series b/debian/patches/series
index 3bd034cee4..488dca9c13 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 03_systemd-service.patch
 04_disable-libtls-tests.patch
 dont-load-kernel-libipsec-plugin-by-default.patch
+0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Bug#1033075: unblock: strongswan/5.9.8-5
  - From: Yves-Alexis Perez <corsac@debian.org>
- Bug#1033075: unblock: strongswan/5.9.8-5
  - From: Sebastian Ramacher <sramacher@debian.org>

Prev by Date: Processed: Re: Bug#1032977: unblock: apache2/2.4.56-1
Next by Date: Bug#1033075: marked as done (unblock: strongswan/5.9.8-5)
Previous by thread: Bug#1033075: unblock: strongswan/5.9.8-5
Next by thread: Processed: Re: Bug#1033075: unblock: strongswan/5.9.8-5
Index(es):
- Date
- Thread