[{"id":3679971,"web_url":"http://patchwork.ozlabs.org/comment/3679971/","msgid":"<fa7ab75f-67bc-4f0a-9fd2-cfbce7d6a58e@mind.be>","list_archive_url":null,"date":"2026-04-21T16:24:30","subject":"Re: [Buildroot] [PATCH for 2025.02.x] package/strongswan: add patch\n for CVE-2026-25075","submitter":{"id":90763,"url":"http://patchwork.ozlabs.org/api/people/90763/","name":"Titouan Christophe","email":"titouan.christophe@mind.be"},"content":"Hello Thomas and all,\n\nI forgot to add\n\n# 0002-fix-cve-2026-25075.patch\nSTRONGSWAN_IGNORE_CVES += CVE-2026-25075\n\nin strongswan/strongswan.mk\n\nCould you please include that change when applying the patch on the LTS \nbranch ?\n\nSorry for the annoyance !\n\nKind regards,\nTitouan\n\nOn 21/04/26 16:33, Titouan Christophe wrote:\n> This fixes the following vulnerability:\n> - CVE-2026-25075:\n>      strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow\n>      vulnerability in the EAP-TTLS AVP parser that allows unauthenticated\n>      remote attackers to cause a denial of service by sending crafted AVP\n>      data with invalid length fields during IKEv2 authentication. Attackers\n>      can exploit the failure to validate AVP length fields before\n>      subtraction to trigger excessive memory allocation or NULL pointer\n>      dereference, crashing the charon IKE daemon.\n>      https://www.cve.org/CVERecord?id=CVE-2026-25075\n>\n> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n> ---\n>   .../strongswan/0002-fix-cve-2026-25075.patch  | 48 +++++++++++++++++++\n>   1 file changed, 48 insertions(+)\n>   create mode 100644 package/strongswan/0002-fix-cve-2026-25075.patch\n>\n> diff --git a/package/strongswan/0002-fix-cve-2026-25075.patch b/package/strongswan/0002-fix-cve-2026-25075.patch\n> new file mode 100644\n> index 0000000000..82e07fba3f\n> --- /dev/null\n> +++ b/package/strongswan/0002-fix-cve-2026-25075.patch\n> @@ -0,0 +1,48 @@\n> +From d4b3c39776f06948d875614a0eddea9561159f2a Mon Sep 17 00:00:00 2001\n> +From: Tobias Brunner <tobias@strongswan.org>\n> +Date: Thu, 5 Mar 2026 12:43:12 +0100\n> +Subject: [PATCH] eap-ttls: Prevent crash if AVP length header field is invalid\n> +\n> +The length field in the AVP header includes the 8 bytes of the header\n> +itself.  Not checking for that and later subtracting it causes an\n> +integer underflow that usually triggers a crash when accessing a\n> +NULL pointer that resulted from the failing chunk_alloc() call because\n> +of the high value.\n> +\n> +The attempted allocations for invalid lengths (0-7) are 0xfffffff8,\n> +0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result\n> +in a buffer overflow even if the allocation succeeds.\n> +\n> +Fixes: 79f2102cb442 (\"implemented server side support for EAP-TTLS\")\n> +CVE: CVE-2026-25075\n> +Upstream: https://download.strongswan.org/security/CVE-2026-25075/\n> +Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n> +---\n> + src/libcharon/plugins/eap_ttls/eap_ttls_avp.c | 4 ++--\n> + 1 file changed, 2 insertions(+), 2 deletions(-)\n> +\n> +diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c\n> +index 06389f7ca73e..2983bd021ded 100644\n> +--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c\n> ++++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c\n> +@@ -119,7 +119,7 @@ METHOD(eap_ttls_avp_t, process, status_t,\n> + \t\tchunk_free(&this->input);\n> + \t\tthis->inpos = 0;\n> +\n> +-\t\tif (!success)\n> ++\t\tif (!success || avp_len < AVP_HEADER_LEN)\n> + \t\t{\n> + \t\t\tDBG1(DBG_IKE, \"received invalid AVP header\");\n> + \t\t\treturn FAILED;\n> +@@ -130,7 +130,7 @@ METHOD(eap_ttls_avp_t, process, status_t,\n> + \t\t\treturn FAILED;\n> + \t\t}\n> + \t\tthis->process_header = FALSE;\n> +-\t\tthis->data_len = avp_len - 8;\n> ++\t\tthis->data_len = avp_len - AVP_HEADER_LEN;\n> + \t\tthis->input = chunk_alloc(this->data_len + (4 - avp_len) % 4);\n> + \t}\n> +\n> +--\n> +2.43.0\n> +","headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=Pe3vWW5U;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0SP65ngrz1yGs\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Wed, 22 Apr 2026 02:24:41 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 8A00361529;\n\tTue, 21 Apr 2026 16:24:38 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id L1Rm241RDqjX; Tue, 21 Apr 2026 16:24:37 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 77D026151D;\n\tTue, 21 Apr 2026 16:24:37 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists1.osuosl.org (Postfix) with ESMTP id A37C824D\n for <buildroot@buildroot.org>; Tue, 21 Apr 2026 16:24:35 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id A074684055\n for <buildroot@buildroot.org>; Tue, 21 Apr 2026 16:24:35 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id aB1LnAurj0Y5 for <buildroot@buildroot.org>;\n Tue, 21 Apr 2026 16:24:35 +0000 (UTC)","from mail-wm1-x334.google.com (mail-wm1-x334.google.com\n [IPv6:2a00:1450:4864:20::334])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 7AC3684051\n for <buildroot@buildroot.org>; Tue, 21 Apr 2026 16:24:33 +0000 (UTC)","by mail-wm1-x334.google.com with SMTP id\n 5b1f17b1804b1-48984d29fe3so30163585e9.0\n for <buildroot@buildroot.org>; Tue, 21 Apr 2026 09:24:33 -0700 (PDT)","from [192.168.129.33] ([109.136.97.112])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488fc177dafsm468594145e9.4.2026.04.21.09.24.30\n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n Tue, 21 Apr 2026 09:24:30 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org 77D026151D","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7AC3684051"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776788677;\n\tbh=iqIXQBlbOy2NVX3z+FkBN+xCMXAlfNdHgj+cJdnwKgI=;\n\th=Date:To:Cc:References:In-Reply-To:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=Pe3vWW5UvTmZuxhgnwY3tPw1PI54dcbcgLk4hGYFGcfcDS7YhIe5JaACl3j4+qjDZ\n\t GfqNOajBPruiz1bVpIb1maysCuyXOnE6xDYnyBu+/YUoqYneGKw2FZdkXbNlVvv549\n\t GsVnWIITtst+xWcQgIKATu7eiRcdueDpBKu/zw8gxFi5Js9+RdSygyvwrn3zvge2uQ\n\t 249d0QHABvmoIL+g3WAe1CPm0/Iz515Il8JTFbpk6Bulh3T4h+39VrDhzrSOUh5pQ4\n\t PnIl45h3nLqxfnCBuvqTLXTvJpljb3mp1vyzcr25IMM7AXLsNnUAMlS1Hf/mMMUyjP\n\t eOIcbuZ5KKl5g==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::334; helo=mail-wm1-x334.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 7AC3684051","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776788671; x=1777393471;\n h=content-transfer-encoding:in-reply-to:content-language:references\n :cc:to:from:subject:user-agent:mime-version:date:message-id:x-gm-gg\n :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;\n bh=gpCngQMfOCnm3DSrJJceb0OeNIw9IZ26BYj+6heRk4w=;\n b=MR1bGObYUm+EwT/S+nEGxkEUbtESMQSGkzf/lGPb44hMiPAF/gv9l1ZFFO6gKjXpio\n p8H9yMBARLB7VoJxSC4LYIP2bl53GJ/ur3a967hDTXqFKVAvxyNfiLGU5rLOjv7IzcAl\n DsObgV9Hq9+my/HT1Kfu3i8PtAUoOAKOEbIM7tIi+kq5QxJccCnQKo8VrNfxR5DoVq0V\n qlR3WyZXjQvcGLJkg9izDm7hUd+N6vbzeVAoT+QLunv35fZeOr5ev3Q44oDQuA6HBd+h\n X2GwK6xs7nLynAiMfbl/lPx3WhOtYtwzh83fM4VftazdvsD7zU5q981Ed7HVmKK0zi/O\n kMGQ==","X-Gm-Message-State":"AOJu0YxPSIGvnmwcQB14OAphGUVXT2U+VcMFaYX0YqLyB2HS7Q1kz3RK\n F1ip4BjYIMkpRXpnjBtMRLmiBWjMSAw4Zs7vq+0/JNe0RqkYhQNDZYtevRon+sq7w3ZXufkYH7K\n AtOxNwZA=","X-Gm-Gg":"AeBDiesIzH07D2lSB0guzfY2uhmsYcnpFdS15PqVDnrce6y/ZKK6gHDIJ+1vbVQMoZf\n c5+2v69+3iVdrWvMROBCEdcLih5XmVQbXDMcTh5jKqy/L6qrGmI6r7K0e5jPLLOPywvs2k45a1H\n wA7mtcDOlPsPAM6X4dV5H1+ATT3cLdoaDO0jO36eO3F1pMrwgoXHp+tn6WBmWtLvsiXFG122ml4\n Er1CR0XlKt0FW9qSQ1KhbI9k8Emy8Awg8bhweFa6ckB4SfaCOGelJ86+tHfpqd9GSF1nWTFOi53\n a3awu93wsPM29DTSoUQIoKR/1w0DAPlzKa43bXj7RiIVk+S5uL5kLUMiyk/G/7Schh1RGRjas5x\n wI8nAuNs2pGvFWVtgOsTd0EUQsY5punMzzEkFn63aTZBhPI7XlETPkFaWQxbwB2OyWVPWd7lYNy\n 0GFwLjN4cHTyhPJ1wH5aayNdKX/VZ+t2jZULb9ltQ0eEPzEFlpkQ==","X-Received":"by 2002:a05:600c:3f0c:b0:48a:563c:c8e0 with SMTP id\n 5b1f17b1804b1-48a563cd16bmr42648055e9.1.1776788671174;\n Tue, 21 Apr 2026 09:24:31 -0700 (PDT)","Message-ID":"<fa7ab75f-67bc-4f0a-9fd2-cfbce7d6a58e@mind.be>","Date":"Tue, 21 Apr 2026 18:24:30 +0200","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","To":"buildroot@buildroot.org","Cc":"=?utf-8?b?SsOpcsO0bWUgUG91aWxsZXI=?= <jezz@sysmic.org>,\n thomas.perale@mind.be","References":"<20260421143310.2795827-1-titouan.christophe@mind.be>","Content-Language":"en-US","In-Reply-To":"<20260421143310.2795827-1-titouan.christophe@mind.be>","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1776788671; x=1777393471; darn=buildroot.org;\n h=content-transfer-encoding:in-reply-to:content-language:references\n :cc:to:from:subject:user-agent:mime-version:date:message-id:from:to\n :cc:subject:date:message-id:reply-to;\n bh=gpCngQMfOCnm3DSrJJceb0OeNIw9IZ26BYj+6heRk4w=;\n b=K5/6uxMrf317VvdMmeB0Qx51kHukhNPjOddgnThE9XBqB6WsEXND5n/MO65iCU+z31\n MkcATbIwFZuFJbIgg1uwmsc3ceTP6I50crkj/ZVJuHFS21b2MDs/qtFPheGNE/0Ddjtf\n SBLBkM7aJXBxJhyx5VGy8lHyOQthIjxGvUeOCRxJSPiK2DXjVPrGZbXyDZWcfIAzc2cU\n 5q1XWLioE3mgYQP1bTTTvVzB38kCkKmz5KrHiBmAo4mJjC1eMzDiI3gOwBm41WX1JtpY\n djEYy2F1DOgtoq5I4EffnJFMv7K0ysoqgJLpNvNArtb0CE3ysCKkDA4ja3csjTj8IQiU\n 1nXw==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp1.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=K5/6uxMr"],"Subject":"Re: [Buildroot] [PATCH for 2025.02.x] package/strongswan: add patch\n for CVE-2026-25075","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Titouan Christophe via buildroot <buildroot@buildroot.org>","Reply-To":"Titouan Christophe <titouan.christophe@mind.be>","Content-Transfer-Encoding":"7bit","Content-Type":"text/plain; charset=\"us-ascii\"; Format=\"flowed\"","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"}}]