rpms/libreswan
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2024-2357

Browse Source 
Resolves: RHEL-28743
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno 2024-04-11 10:37:37 +09:00
parent ee24f10452
commit 673a1e3414
2 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
libreswan-4.12-ikev2-auth-delete-state.patch Normal file
View File

@ -0,0 +1,54 @@
From 2ec448884a7467743699803f8a36ee28d237666c Mon Sep 17 00:00:00 2001
From: Andrew Cagney <cagney@gnu.org>
Date: Wed, 28 Feb 2024 08:29:53 -0500
Subject: [PATCH] ikev2: return STF_FATAL when initiator fails to emit AUTH
packet
---
programs/pluto/ikev2_ike_auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
index 192eb1b3b6..a54a109699 100644
--- a/programs/pluto/ikev2_ike_auth.c
+++ b/programs/pluto/ikev2_ike_auth.c
@@ -1267,7 +1267,7 @@ static stf_status process_v2_IKE_AUTH_request_auth_signature_continue(struct ike
/* now send AUTH payload */
if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, response.pbs)) {
- return STF_INTERNAL_ERROR;
+ return STF_FATAL;
}
ike->sa.st_v2_ike_intermediate.used = false;
--
2.44.0
From 16272f2475d25baab58fbed2af7c67cfb459137f Mon Sep 17 00:00:00 2001
From: Andrew Cagney <cagney@gnu.org>
Date: Thu, 29 Feb 2024 12:19:20 -0500
Subject: [PATCH] ikev2: always return STF_FATAL if emitting AUTH fails
Fix:
ikev2: return STF_FATAL when initiator fails to emit AUTH packet
which really fixed the responder.
---
programs/pluto/ikev2_ike_auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
index a54a109699..491053fb10 100644
--- a/programs/pluto/ikev2_ike_auth.c
+++ b/programs/pluto/ikev2_ike_auth.c
@@ -397,7 +397,7 @@ stf_status initiate_v2_IKE_AUTH_request_signature_continue(struct ike_sa *ike,
/* send out the AUTH payload */
if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, request.pbs)) {
- return STF_INTERNAL_ERROR;
+ return STF_FATAL;
}
if (LIN(POLICY_MOBIKE, ike->sa.st_connection->policy)) {
--
2.44.0

6
libreswan.spec
View File

@ -31,7 +31,7 @@ Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
Version: 4.12
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@ -41,6 +41,7 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Patch: libreswan-4.12-ikev2-auth-delete-state.patch
BuildRequires: audit-libs-devel
BuildRequires: bison
@ -196,6 +197,9 @@ certutil -N -d sql:$tmpdir --empty-password
%doc %{_mandir}/*/*
%changelog
* Thu Apr 11 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2
- Fix CVE-2024-2357 (RHEL-28743)
* Wed Aug 9 2023 Daiki Ueno <dueno@redhat.com> - 4.12-1
- Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
- Resolves: rhbz#2215956