diff -Nru strongswan-5.3.5/debian/changelog strongswan-5.3.5/debian/changelog --- strongswan-5.3.5/debian/changelog 2018-09-18 11:40:08.000000000 +0000 +++ strongswan-5.3.5/debian/changelog 2018-09-26 18:38:03.000000000 +0000 @@ -1,3 +1,13 @@ +strongswan (5.3.5-1ubuntu3.8) xenial-security; urgency=medium + + * SECURITY UPDATE: Insufficient input validation in gmp plugin + - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix + buffer overflow with very small RSA keys in + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c. + - CVE-2018-17540 + + -- Marc Deslauriers Wed, 26 Sep 2018 14:38:03 -0400 + strongswan (5.3.5-1ubuntu3.7) xenial-security; urgency=medium * SECURITY UPDATE: Insufficient input validation in gmp plugin diff -Nru strongswan-5.3.5/debian/patches/series strongswan-5.3.5/debian/patches/series --- strongswan-5.3.5/debian/patches/series 2018-09-18 11:38:56.000000000 +0000 +++ strongswan-5.3.5/debian/patches/series 2018-09-26 18:37:57.000000000 +0000 @@ -11,3 +11,4 @@ strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch strongswan-5.0.1-5.4.0_skeyseed_init.patch strongswan-5.1.2-5.6.2_stroke_msg_len.patch +strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch diff -Nru strongswan-5.3.5/debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch strongswan-5.3.5/debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch --- strongswan-5.3.5/debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.3.5/debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch 2018-09-26 18:38:00.000000000 +0000 @@ -0,0 +1,35 @@ +From 129ab919a8c3abfc17bea776f0774e0ccf33ca09 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 25 Sep 2018 14:50:08 +0200 +Subject: [PATCH] gmp: Fix buffer overflow with very small RSA keys + +Because `keylen` is unsigned the subtraction results in an integer +underflow if the key length is < 11 bytes. + +This is only a problem when verifying signatures with a public key (for +private keys the plugin enforces a minimum modulus length) and to do so +we usually only use trusted keys. However, the x509 plugin actually +calls issued_by() on a parsed certificate to check if it is self-signed, +which is the reason this issue was found by OSS-Fuzz in the first place. +So, unfortunately, this can be triggered by sending an invalid client +cert to a peer. + +Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them") +Fixes: CVE-2018-17540 +--- + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: strongswan-5.3.5/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +=================================================================== +--- strongswan-5.3.5.orig/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c 2018-09-26 14:37:58.780418655 -0400 ++++ strongswan-5.3.5/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c 2018-09-26 14:37:58.780418655 -0400 +@@ -299,7 +299,7 @@ bool gmp_emsa_pkcs1_signature_data(hash_ + data = digestInfo; + } + +- if (data.len > keylen - 11) ++ if (keylen < 11 || data.len > keylen - 11) + { + chunk_free(&digestInfo); + DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of "