From 743cbd6ad522ff8369ed482e0eeea96d6278ccda Mon Sep 17 00:00:00 2001 From: root Date: Wed, 5 Jun 2024 14:15:33 +0800 Subject: [PATCH 1/2] fix cve-2024-3652 --- fix-cve-2024-3652.patch | 91 +++++++++++++++++++++++++++++++++++++++++ libreswan.spec | 6 ++- 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 fix-cve-2024-3652.patch diff --git a/fix-cve-2024-3652.patch b/fix-cve-2024-3652.patch new file mode 100644 index 0000000..d7d45a4 --- /dev/null +++ b/fix-cve-2024-3652.patch @@ -0,0 +1,91 @@ +From 8143e31a5b50fc378adae95c8ef8b00b04fdbbc4 Mon Sep 17 00:00:00 2001 +From: root +Date: Wed, 5 Jun 2024 13:40:57 +0800 +Subject: [PATCH] fix-cve-3652 + +--- + programs/pluto/ikev1_quick.c | 41 ++++++++++++++---------------------- + 1 file changed, 16 insertions(+), 25 deletions(-) + +diff --git a/programs/pluto/ikev1_quick.c b/programs/pluto/ikev1_quick.c +index 81c522c..dc1faff 100644 +--- a/programs/pluto/ikev1_quick.c ++++ b/programs/pluto/ikev1_quick.c +@@ -203,7 +203,7 @@ static bool emit_subnet_id(enum perspective perspective, + * RFC 2409 "IKE" section 5.5 + * specifies how this is to be done. + */ +-static void compute_proto_keymat(struct state *st, ++static bool compute_proto_keymat(struct state *st, + uint8_t protoid, + struct ipsec_proto_info *pi, + const char *satypename) +@@ -297,27 +297,13 @@ static void compute_proto_keymat(struct state *st, + } + break; + +- case ESP_CAST: +- case ESP_TWOFISH: +- case ESP_SERPENT: +- /* ESP_SEED is for IKEv1 only and not supported. Its number in IKEv2 has been re-used */ +- bad_case(pi->attrs.transattrs.ta_ikev1_encrypt); +- + default: +- /* bytes */ +- needed_len = encrypt_max_key_bit_length(pi->attrs.transattrs.ta_encrypt) / BITS_PER_BYTE; +- if (needed_len > 0) { +- /* XXX: check key_len coupling with kernel.c's */ +- if (pi->attrs.transattrs.enckeylen) { +- needed_len = +- pi->attrs.transattrs.enckeylen +- / BITS_PER_BYTE; +- dbg("compute_proto_keymat: key_len=%d from peer", +- (int)needed_len); +- } +- break; +- } +- bad_case(pi->attrs.transattrs.ta_ikev1_encrypt); ++ { ++ enum_buf eb; ++ llog(RC_LOG, st->logger, "rejecting request for keymat for %s", ++ str_enum(&esp_transformid_names, protoid, &eb)); ++ return false; ++ } + } + dbg("compute_proto_keymat: needed_len (after ESP enc)=%d", (int)needed_len); + needed_len += pi->attrs.transattrs.ta_integ->integ_keymat_size; +@@ -359,14 +345,17 @@ static void compute_proto_keymat(struct state *st, + DBG_dump_hunk(" inbound:", pi->inbound.keymat); + DBG_dump_hunk(" outbound:", pi->outbound.keymat); + } ++ ++ return true; + } + +-static void compute_keymats(struct state *st) ++static bool compute_keymats(struct state *st) + { + if (st->st_ah.present) +- compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH"); ++ return compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH"); + if (st->st_esp.present) +- compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP"); ++ return compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP"); ++ return false; + } + + /* +@@ -1460,7 +1449,9 @@ static stf_status quick_inI1_outR1_continue12_tail(struct state *st, struct msg_ + fixup_v1_HASH(st, &hash_fixup, st->st_v1_msgid.id, rbody.cur); + + /* Derive new keying material */ +- compute_keymats(st); ++ if (!compute_keymats(st)) { ++ return STF_FATAL; ++ } + + /* Tell the kernel to establish the new inbound SA + * (unless the commit bit is set -- which we don't support). +-- +2.33.0 + diff --git a/libreswan.spec b/libreswan.spec index c0039f0..d44fa50 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global _hardened_build 1 # These are rpm macros and are 0 or 1 @@ -43,6 +43,7 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch1001: 1001-Fix-the-error-that-the-variable-is-not-defined.patch +Patch1002: fix-cve-2024-3652.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -199,6 +200,9 @@ certutil -N -d sql:$tmpdir --empty-password %doc docs/*.* %changelog +* Thu June 05 2024 Yangxinyu - 4.12-2 +- fix cve-2024-3652 + * Sat Oct 07 2023 Xiaoping Liu - 4.12-1 - Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712 -- Gitee From c5b0872d74cc0c173ac2d2014c5bc4586a55a942 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 5 Jun 2024 14:38:36 +0800 Subject: [PATCH 2/2] update --- fix-cve-2024-3652.patch | 2 +- libreswan.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fix-cve-2024-3652.patch b/fix-cve-2024-3652.patch index d7d45a4..62d4772 100644 --- a/fix-cve-2024-3652.patch +++ b/fix-cve-2024-3652.patch @@ -47,7 +47,7 @@ index 81c522c..dc1faff 100644 - bad_case(pi->attrs.transattrs.ta_ikev1_encrypt); + { + enum_buf eb; -+ llog(RC_LOG, st->logger, "rejecting request for keymat for %s", ++ llog(RC_LOG, st->st_logger, "rejecting request for keymat for %s", + str_enum(&esp_transformid_names, protoid, &eb)); + return false; + } diff --git a/libreswan.spec b/libreswan.spec index d44fa50..a2e4122 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -200,7 +200,7 @@ certutil -N -d sql:$tmpdir --empty-password %doc docs/*.* %changelog -* Thu June 05 2024 Yangxinyu - 4.12-2 +* Wed June 05 2024 Yangxinyu - 4.12-2 - fix cve-2024-3652 * Sat Oct 07 2023 Xiaoping Liu - 4.12-1 -- Gitee