diff -Nru strongswan-5.9.11/debian/changelog strongswan-5.9.11/debian/changelog --- strongswan-5.9.11/debian/changelog 2023-06-23 17:05:18.000000000 +0000 +++ strongswan-5.9.11/debian/changelog 2023-11-07 09:43:00.000000000 +0000 @@ -1,3 +1,13 @@ +strongswan (5.9.11-1ubuntu1.1) mantic-security; urgency=medium + + * SECURITY UPDATE: Buffer Overflow When Handling DH Public Values + - debian/patches/CVE-2023-41913.patch: Validate DH public key to fix + potential buffer overflow in + src/charon-tkm/src/tkm/tkm_diffie_hellman.c. + - CVE-2023-41913 + + -- Marc Deslauriers Tue, 07 Nov 2023 11:43:00 +0200 + strongswan (5.9.11-1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2018113). Remaining changes: diff -Nru strongswan-5.9.11/debian/patches/CVE-2023-41913.patch strongswan-5.9.11/debian/patches/CVE-2023-41913.patch --- strongswan-5.9.11/debian/patches/CVE-2023-41913.patch 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/debian/patches/CVE-2023-41913.patch 2023-11-07 09:41:11.000000000 +0000 @@ -0,0 +1,42 @@ +From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 11 Jul 2023 12:12:25 +0200 +Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer + overflow + +Seems this was forgotten in the referenced commit and actually could lead +to a buffer overflow. Since charon-tkm is untrusted this isn't that +much of an issue but could at least be easily exploited for a DoS attack +as DH public values are set when handling IKE_SA_INIT requests. + +Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") +Fixes: CVE-2023-41913 +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 2b2d103d03e9..6999ad360d7e 100644 +--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, + return TRUE; + } + +- + METHOD(key_exchange_t, set_public_key, bool, + private_tkm_diffie_hellman_t *this, chunk_t value) + { + dh_pubvalue_type othervalue; ++ ++ if (!key_exchange_verify_pubkey(this->group, value) || ++ value.len > sizeof(othervalue.data)) ++ { ++ return FALSE; ++ } + othervalue.size = value.len; + memcpy(&othervalue.data, value.ptr, value.len); + +-- +2.34.1 + diff -Nru strongswan-5.9.11/debian/patches/series strongswan-5.9.11/debian/patches/series --- strongswan-5.9.11/debian/patches/series 2023-06-23 17:04:07.000000000 +0000 +++ strongswan-5.9.11/debian/patches/series 2023-11-07 09:41:11.000000000 +0000 @@ -2,3 +2,4 @@ 03_systemd-service.patch 04_disable-libtls-tests.patch dont-load-kernel-libipsec-plugin-by-default.patch +CVE-2023-41913.patch