[Pkg-swan-devel] [Git][debian/strongswan][debian/trixie] 3 commits: d/patches: add fix for double-free when cloning empty IDs (CVE-2026-47895)

Yves-Alexis Perez (@corsac) gitlab at salsa.debian.org
Mon Jun 8 14:32:54 BST 2026 


Yves-Alexis Perez pushed to branch debian/trixie at Debian / strongswan


Commits:
c548f9b4 by Yves-Alexis Perez at 2026-05-27T08:39:10+02:00
d/patches: add fix for double-free when cloning empty IDs (CVE-2026-47895)

- - - - -
60734263 by Yves-Alexis Perez at 2026-05-27T08:40:13+02:00
finalize changelog

- - - - -
50df14e4 by Yves-Alexis Perez at 2026-05-27T08:40:29+02:00
upload strongSwan 6.0.1-6+deb13u6 to trixie-security

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0017-identification-Fix-double-free-when-cloning-empty-ID.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+strongswan (6.0.1-6+deb13u6) trixie-security; urgency=medium
+
+  * d/patches: add fix for double-free when cloning empty IDs (CVE-2026-47895)
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Wed, 27 May 2026 08:40:18 +0200
+
 strongswan (6.0.1-6+deb13u5) trixie-security; urgency=medium
 
   * d/patches: add fix for integer underflow in libsimaka when handling


=====================================
debian/patches/0017-identification-Fix-double-free-when-cloning-empty-ID.patch
=====================================
@@ -0,0 +1,86 @@
+From: "R. Elliott Childre" <elliottchildre329 at gmail.com>
+Date: Mon, 18 May 2026 00:53:24 -0400
+Subject: identification: Fix double-free when cloning empty IDs
+
+The clone() method was missing a branch when there is an encoded chunk
+of length 0 that still needed to be cloned.  Otherwise, the destruction
+of the clone frees the same pointer that the original owns.
+
+This double free was found with an improved `fuzz_ids` fuzz harness and
+a two byte input to create an identification from "@#" or [0x40, 0x23].
+It can also be triggered with `<type>:#` e.g. `dns:#`.
+
+One of the problematic constructors is used to parse EAP-Identities,
+which are cloned before storing them in the auth-cfg.   So this can be
+triggered by an unauthenticated attacker.
+
+Note that while the length check was already added with 418dbd624363
+("cloning %any ID without zero-byte memleak") and identities that trigger
+this can be created since 86ab5636c2c9 ("support for @#hex ID_KEY_ID
+identification_t"), it was the referenced commit that made the length
+check problematic.
+
+Fixes: 2147da40a5d7 ("simplified identification_t.clone() using memcpy")
+Fixes: CVE-2026-47895
+---
+ .../tests/suites/test_identification.c             | 23 ++++++++++++++++++++++
+ src/libstrongswan/utils/identification.c           |  5 +----
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
+index db40437..565971a 100644
+--- a/src/libstrongswan/tests/suites/test_identification.c
++++ b/src/libstrongswan/tests/suites/test_identification.c
+@@ -1408,6 +1408,28 @@ START_TEST(test_clone)
+ }
+ END_TEST
+ 
++START_TEST(test_clone_empty)
++{
++	identification_t *a, *b;
++	chunk_t a_enc, b_enc;
++
++	/* this produces an empty but non-NULL encoding, which previously caused a
++	 * double-free when destroying a clone */
++	a = identification_create_from_string("@#");
++	ck_assert(a != NULL);
++	a_enc = a->get_encoding(a);
++
++	b = a->clone(a);
++	ck_assert(b != NULL);
++	ck_assert(a != b);
++	b_enc = b->get_encoding(b);
++	ck_assert(a_enc.ptr != b_enc.ptr);
++
++	b->destroy(b);
++	a->destroy(a);
++}
++END_TEST
++
+ Suite *identification_suite_create()
+ {
+ 	Suite *s;
+@@ -1465,6 +1487,7 @@ Suite *identification_suite_create()
+ 
+ 	tc = tcase_create("clone");
+ 	tcase_add_test(tc, test_clone);
++	tcase_add_test(tc, test_clone_empty);
+ 	suite_add_tcase(s, tc);
+ 
+ 	return s;
+diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
+index d31955b..b8e68f8 100644
+--- a/src/libstrongswan/utils/identification.c
++++ b/src/libstrongswan/utils/identification.c
+@@ -1586,10 +1586,7 @@ METHOD(identification_t, clone_, identification_t*,
+ 	private_identification_t *clone = malloc_thing(private_identification_t);
+ 
+ 	memcpy(clone, this, sizeof(private_identification_t));
+-	if (this->encoded.len)
+-	{
+-		clone->encoded = chunk_clone(this->encoded);
+-	}
++	clone->encoded = chunk_clone(this->encoded);
+ 	return &clone->public;
+ }
+ 


=====================================
debian/patches/series
=====================================
@@ -14,3 +14,4 @@ dont-load-kernel-libipsec-plugin-by-default.patch
 0014-pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch
 0015-constraints-Case-insensitive-matching-and-reject-exc.patch
 0016-gmp-Avoid-crash-and-timing-leaks-in-PKCS-1-v1.5-decr.patch
+0017-identification-Fix-double-free-when-cloning-empty-ID.patch



View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/a53ad826fa9adc7e4f8b01527d9d538bd632480a...50df14e46f3e3224916aa9244d8bc65b0f477608

-- 
View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/a53ad826fa9adc7e4f8b01527d9d538bd632480a...50df14e46f3e3224916aa9244d8bc65b0f477608
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20260608/b0ab7481/attachment-0001.htm>

More information about the Pkg-swan-devel mailing list