[Pkg-swan-devel] [Git][debian/strongswan][debian/trixie] 3 commits: d/patch: fix integer overflow in EAP-TTLS plugin (CVE-2026-25075)

Mon Mar 23 17:49:25 GMT 2026


Yves-Alexis Perez pushed to branch debian/trixie at Debian / strongswan


Commits:
3f1e1ce9 by Yves-Alexis Perez at 2026-03-16T17:10:24+01:00
d/patch: fix integer overflow in EAP-TTLS plugin (CVE-2026-25075)

- - - - -
e38d7f10 by Yves-Alexis Perez at 2026-03-16T17:38:24+01:00
finalize changelog

- - - - -
8739a3a3 by Yves-Alexis Perez at 2026-03-16T17:38:53+01:00
upload strongSwan 6.0.1-6+deb13u4 to trixie-security

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0009-eap-ttls-Prevent-crash-if-AVP-length-header-field-is.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+strongswan (6.0.1-6+deb13u4) trixie-security; urgency=medium
+
+  * d/patch: fix integer overflow in EAP-TTLS plugin (CVE-2026-25075)
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Mon, 16 Mar 2026 17:38:31 +0100
+
 strongswan (6.0.1-6+deb13u3) trixie-security; urgency=medium
 
   * d/patches: add fix for unauthorized credentials access (CVE-2025-9615)


=====================================
debian/patches/0009-eap-ttls-Prevent-crash-if-AVP-length-header-field-is.patch
=====================================
@@ -0,0 +1,42 @@
+From: Tobias Brunner <tobias at strongswan.org>
+Date: Thu, 5 Mar 2026 12:43:12 +0100
+Subject: eap-ttls: Prevent crash if AVP length header field is invalid
+
+The length field in the AVP header includes the 8 bytes of the header
+itself.  Not checking for that and later subtracting it causes an
+integer underflow that usually triggers a crash when accessing a
+NULL pointer that resulted from the failing chunk_alloc() call because
+of the high value.
+
+The attempted allocations for invalid lengths (0-7) are 0xfffffff8,
+0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result
+in a buffer overflow even if the allocation succeeds.
+
+Fixes: 79f2102cb442 ("implemented server side support for EAP-TTLS")
+Fixes: CVE-2026-25075
+---
+ src/libcharon/plugins/eap_ttls/eap_ttls_avp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+index 06389f7..2983bd0 100644
+--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
++++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+@@ -119,7 +119,7 @@ METHOD(eap_ttls_avp_t, process, status_t,
+ 		chunk_free(&this->input);
+ 		this->inpos = 0;
+ 
+-		if (!success)
++		if (!success || avp_len < AVP_HEADER_LEN)
+ 		{
+ 			DBG1(DBG_IKE, "received invalid AVP header");
+ 			return FAILED;
+@@ -130,7 +130,7 @@ METHOD(eap_ttls_avp_t, process, status_t,
+ 			return FAILED;
+ 		}
+ 		this->process_header = FALSE;
+-		this->data_len = avp_len - 8;
++		this->data_len = avp_len - AVP_HEADER_LEN;
+ 		this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4);
+ 	}
+ 


=====================================
debian/patches/series
=====================================
@@ -6,3 +6,4 @@ dont-load-kernel-libipsec-plugin-by-default.patch
 0002-openssl-Don-t-allocate-salt-if-PRF-hash-is-unknown.patch
 0007-eap-mschapv2-Fix-length-check-for-Failure-Request-pa.patch
 0008-nm-Create-safe-copies-of-files-for-user-specific-con.patch
+0009-eap-ttls-Prevent-crash-if-AVP-length-header-field-is.patch



View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/738889e9cb6b9070ca4db17bd657b9190f8ae3e5...8739a3a3fe4a9c75ff46a3240459cf26669d9fa5

-- 
View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/738889e9cb6b9070ca4db17bd657b9190f8ae3e5...8739a3a3fe4a9c75ff46a3240459cf26669d9fa5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20260323/d953b68f/attachment-0001.htm>
