community/strongswan to 5.6.2-2

2025-02-16 23:57:11 +00:00 · 2018-05-26 23:32:35 +00:00 · 2018-05-26 23:32:35 +00:00 · c22eed294a
commit c22eed294a
parent 83b7005d46
2 changed files with 30 additions and 2 deletions
--- a/community/strongswan/PKGBUILD
+++ b/community/strongswan/PKGBUILD
@ -14,7 +14,7 @@

 pkgname=strongswan
 pkgver=5.6.2
-pkgrel=1
+pkgrel=2
 pkgdesc="open source IPsec implementation"
 url='http://www.strongswan.org'
 license=("GPL2")
@ -46,13 +46,15 @@ vici.conf,x509.conf,xauth-eap.conf,xauth-generic.conf,xcbc.conf,unity.conf,curve
 source=("https://download.strongswan.org/strongswan-${pkgver}.tar.bz2"
    "https://download.strongswan.org/strongswan-${pkgver}.tar.bz2.sig"
    'configure_ac.patch'
+    'cve_2018_5388.patch'
    )

 validpgpkeys=("948F158A4E76A27BF3D07532DF42C170B34DBA77")

 sha512sums=('cf2d5cb6c45d991fe0ad8eed4ea8628f95a1871e9728ddf0985aa26e78d1e6da1c92c961772aafd3e55cfcfa84516204a15561389d373f78140f05607b248c52'
            'SKIP'
-            '0e2c818f2f620410dda949d9016a4c1a686bf2946acb3b42a729b2376c077f4dad6762fe8d2f736c213c4895c1fbd60c0d654a1c36f72d06f58ba7cff635bc74')
+            '0e2c818f2f620410dda949d9016a4c1a686bf2946acb3b42a729b2376c077f4dad6762fe8d2f736c213c4895c1fbd60c0d654a1c36f72d06f58ba7cff635bc74'
+            '77cfce88de2cb72d69c93f80f607a2f95cfedac45b40c8e9d60e22df07f0a37a617797e0cfa1b6132eb7a748ec694b6621e0e1ee0e80300431efc1a516713fcf')

 # We don't build libipsec because it would get loaded before kernel-netlink and netkey, which
 # would case processing to be handled in user space. Also, the plugin is experimental. If you need it,
@ -60,6 +62,7 @@ sha512sums=('cf2d5cb6c45d991fe0ad8eed4ea8628f95a1871e9728ddf0985aa26e78d1e6da1c9
 prepare() {
    cd "${srcdir}/${pkgname}-${pkgver}"
    patch -p1 -l < "${srcdir}/configure_ac.patch"
+    patch -p1 -l < "${srcdir}/cve_2018_5388.patch"
    autoreconf
 }

--- a/community/strongswan/cve_2018_5388.patch
+++ b/community/strongswan/cve_2018_5388.patch
@ -0,0 +1,25 @@
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 13 Mar 2018 17:54:08 +0000 (+0100)
+Subject: stroke: Ensure a minimum message length
+X-Git-Tag: 5.6.3dr1~28
+X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=0acd1ab4
+
+stroke: Ensure a minimum message length
+---
+
+diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
+index c568440..1e7f210 100644
+--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
+@@ -627,6 +627,11 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
+ 		}
+ 		return FALSE;
+ 	}
+	if (len < offsetof(stroke_msg_t, buffer))
+	{
+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
+		return FALSE;
+	}
+ 
+ 	/* read message (we need an additional byte to terminate the buffer) */
+ 	msg = malloc(len + 1);