[Pkg-swan-devel] [Git][debian/strongswan][debian/bookworm] 3 commits: d/patches: add fix for buffer overflow in EAP-MSCHAPv2 (CVE-2025-62291)

Yves-Alexis Perez (@corsac) gitlab at salsa.debian.org
Thu Dec 18 19:33:50 GMT 2025 


Yves-Alexis Perez pushed to branch debian/bookworm at Debian / strongswan


Commits:
1a3ad356 by Yves-Alexis Perez at 2025-10-15T12:20:08+02:00
d/patches: add fix for buffer overflow in EAP-MSCHAPv2 (CVE-2025-62291)

- - - - -
217a9eae by Yves-Alexis Perez at 2025-10-15T12:20:20+02:00
finalize changelog

- - - - -
9f73a113 by Yves-Alexis Perez at 2025-10-15T12:21:19+02:00
upload strongSwan 5.9.8-5+deb12u2 to bookworm-security

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0007-eap-mschapv2-Fix-length-check-for-Failure-Request-pa.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+strongswan (5.9.8-5+deb12u2) bookworm-security; urgency=medium
+
+  * d/patches: add fix for buffer overflow in EAP-MSCHAPv2 (CVE-2025-62291)
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Wed, 15 Oct 2025 12:21:12 +0200
+
 strongswan (5.9.8-5+deb12u1) bookworm-security; urgency=medium
 
   * d/patches: add fix for CVE-2023-41913 in charon-tkm


=====================================
debian/patches/0007-eap-mschapv2-Fix-length-check-for-Failure-Request-pa.patch
=====================================
@@ -0,0 +1,40 @@
+From: Tobias Brunner <tobias at strongswan.org>
+Date: Thu, 9 Oct 2025 11:33:45 +0200
+Subject: eap-mschapv2: Fix length check for Failure Request packets on the
+ client
+
+For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
+`message_len` to become negative, which is then used in calls to malloc()
+and memcpy() that both take size_t arguments, causing an integer
+underflow.
+
+For 6 and 7, the huge size requested from malloc() will fail (it exceeds
+PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
+fault in memcpy().
+
+However, for 8, the allocation is 0, which succeeds.  But then the -1
+passed to memcpy() causes a heap-based buffer overflow (and possibly a
+segmentation fault when attempting to read/write that much data).
+Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
+Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
+overflow and causes the daemon to get aborted immediately instead.
+
+Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
+Fixes: CVE-2025-62291
+---
+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+index 2e14bd9..1eedfeb 100644
+--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+@@ -972,7 +972,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
+ 	data = in->get_data(in);
+ 	eap = (eap_mschapv2_header_t*)data.ptr;
+ 
+-	if (data.len < 3) /* we want at least an error code: E=e */
++	if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */
+ 	{
+ 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+ 		return FAILED;


=====================================
debian/patches/series
=====================================
@@ -4,3 +4,4 @@
 dont-load-kernel-libipsec-plugin-by-default.patch
 0005-libtls-Fix-authentication-bypass-and-expired-pointer.patch
 0006-charon-tkm-Validate-DH-public-key-to-fix-potential-b.patch
+0007-eap-mschapv2-Fix-length-check-for-Failure-Request-pa.patch



View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/616fc622aa7a33fbac68e442e5f05c39d35b35b6...9f73a11358e66c263a22fd9cf9173d8a14a7ff66

-- 
View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/616fc622aa7a33fbac68e442e5f05c39d35b35b6...9f73a11358e66c263a22fd9cf9173d8a14a7ff66
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20251218/c63ad671/attachment-0001.htm>

More information about the Pkg-swan-devel mailing list