From 336ee530cfa36a464864d4078d7473b54d746fd0 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Mon, 19 Jan 2026 08:12:20 +0000 Subject: [PATCH] Patch strongswan for CVE-2025-62291 --- SPECS/strongswan/CVE-2025-62291.patch | 46 +++++++++++++++++++++++++++ SPECS/strongswan/strongswan.spec | 6 +++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 SPECS/strongswan/CVE-2025-62291.patch diff --git a/SPECS/strongswan/CVE-2025-62291.patch b/SPECS/strongswan/CVE-2025-62291.patch new file mode 100644 index 00000000000..97969418cd3 --- /dev/null +++ b/SPECS/strongswan/CVE-2025-62291.patch @@ -0,0 +1,46 @@ +From 3b09614449e5eb4249a797d9912b67c58124d96a Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 9 Oct 2025 11:33:45 +0200 +Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on + the client + +For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes +`message_len` to become negative, which is then used in calls to malloc() +and memcpy() that both take size_t arguments, causing an integer +underflow. + +For 6 and 7, the huge size requested from malloc() will fail (it exceeds +PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation +fault in memcpy(). + +However, for 8, the allocation is 0, which succeeds. But then the -1 +passed to memcpy() causes a heap-based buffer overflow (and possibly a +segmentation fault when attempting to read/write that much data). +Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g. +Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer +overflow and causes the daemon to get aborted immediately instead. + +Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2") +Fixes: CVE-2025-62291 +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://download.strongswan.org/security/CVE-2025-62291/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch +--- + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +index 1bb54c8..9ad509a 100644 +--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c ++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, + data = in->get_data(in); + eap = (eap_mschapv2_header_t*)data.ptr; + +- if (data.len < 3) /* we want at least an error code: E=e */ ++ if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */ + { + DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short"); + return FAILED; +-- +2.45.4 + diff --git a/SPECS/strongswan/strongswan.spec b/SPECS/strongswan/strongswan.spec index 15c33fd16d9..d1184723268 100644 --- a/SPECS/strongswan/strongswan.spec +++ b/SPECS/strongswan/strongswan.spec @@ -12,7 +12,7 @@ Name: strongswan Version: 5.9.14 -Release: 7%{?dist} +Release: 8%{?dist} Summary: An OpenSource IPsec-based VPN and TNC solution # Automatically converted from old format: GPLv2+ - review is highly recommended. License: GPL-2.0-or-later @@ -31,6 +31,7 @@ Patch2: strongswan-6.0.0-gcc15.patch Patch3: strongswan-6.0.1-gcc15.patch Patch4: strongswan-fix-make-check.patch Patch5: 0001-Extending-timeout-for-test-cases-with-multiple-read-.patch +Patch6: CVE-2025-62291.patch BuildRequires: autoconf BuildRequires: automake @@ -425,6 +426,9 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co %endif %changelog +* Mon Jan 19 2026 Azure Linux Security Servicing Account - 5.9.14-8 +- Patch for CVE-2025-62291 + * Fri May 23 2025 Mayank Singh - 5.9.14-7 - Initial Azure Linux import from Fedora 42 (license: MIT). - License verified