[Pkg-swan-devel] [Git][debian/strongswan][debian/bookworm] 3 commits: d/patches: add fix for double-free when cloning empty IDs (CVE-2026-47895)

Yves-Alexis Perez (@corsac) gitlab at salsa.debian.org
Mon Jun 8 14:33:18 BST 2026 


Yves-Alexis Perez pushed to branch debian/bookworm at Debian / strongswan


Commits:
5ff00dcf by Yves-Alexis Perez at 2026-05-27T08:55:16+02:00
d/patches: add fix for double-free when cloning empty IDs (CVE-2026-47895)

- - - - -
ddb8fb1e by Yves-Alexis Perez at 2026-05-27T08:58:24+02:00
finalize changelog

- - - - -
dec76e1d by Yves-Alexis Perez at 2026-05-27T08:58:40+02:00
upload strongSwan 5.9.8-5+deb12u5 to bookworm-security

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0016-identification-Fix-double-free-when-cloning-empty-ID.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+strongswan (5.9.8-5+deb12u5) bookworm-security; urgency=medium
+
+  * d/patches: add fix for double-free when cloning empty IDs (CVE-2026-47895)
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Wed, 27 May 2026 08:58:30 +0200
+
 strongswan (5.9.8-5+deb12u4) bookworm-security; urgency=medium
 
   * d/patches: add fix for integer underflow in libsimaka when handling


=====================================
debian/patches/0016-identification-Fix-double-free-when-cloning-empty-ID.patch
=====================================
@@ -0,0 +1,86 @@
+From: "R. Elliott Childre" <elliottchildre329 at gmail.com>
+Date: Mon, 18 May 2026 00:53:24 -0400
+Subject: identification: Fix double-free when cloning empty IDs
+
+The clone() method was missing a branch when there is an encoded chunk
+of length 0 that still needed to be cloned.  Otherwise, the destruction
+of the clone frees the same pointer that the original owns.
+
+This double free was found with an improved `fuzz_ids` fuzz harness and
+a two byte input to create an identification from "@#" or [0x40, 0x23].
+It can also be triggered with `<type>:#` e.g. `dns:#`.
+
+One of the problematic constructors is used to parse EAP-Identities,
+which are cloned before storing them in the auth-cfg.   So this can be
+triggered by an unauthenticated attacker.
+
+Note that while the length check was already added with 418dbd624363
+("cloning %any ID without zero-byte memleak") and identities that trigger
+this can be created since 86ab5636c2c9 ("support for @#hex ID_KEY_ID
+identification_t"), it was the referenced commit that made the length
+check problematic.
+
+Fixes: 2147da40a5d7 ("simplified identification_t.clone() using memcpy")
+Fixes: CVE-2026-47895
+---
+ .../tests/suites/test_identification.c             | 23 ++++++++++++++++++++++
+ src/libstrongswan/utils/identification.c           |  5 +----
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
+index eac6b55..5a3bb55 100644
+--- a/src/libstrongswan/tests/suites/test_identification.c
++++ b/src/libstrongswan/tests/suites/test_identification.c
+@@ -1172,6 +1172,28 @@ START_TEST(test_clone)
+ }
+ END_TEST
+ 
++START_TEST(test_clone_empty)
++{
++	identification_t *a, *b;
++	chunk_t a_enc, b_enc;
++
++	/* this produces an empty but non-NULL encoding, which previously caused a
++	 * double-free when destroying a clone */
++	a = identification_create_from_string("@#");
++	ck_assert(a != NULL);
++	a_enc = a->get_encoding(a);
++
++	b = a->clone(a);
++	ck_assert(b != NULL);
++	ck_assert(a != b);
++	b_enc = b->get_encoding(b);
++	ck_assert(a_enc.ptr != b_enc.ptr);
++
++	b->destroy(b);
++	a->destroy(a);
++}
++END_TEST
++
+ Suite *identification_suite_create()
+ {
+ 	Suite *s;
+@@ -1227,6 +1249,7 @@ Suite *identification_suite_create()
+ 
+ 	tc = tcase_create("clone");
+ 	tcase_add_test(tc, test_clone);
++	tcase_add_test(tc, test_clone_empty);
+ 	suite_add_tcase(s, tc);
+ 
+ 	return s;
+diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
+index 6ddaf6c..d2c8fc2 100644
+--- a/src/libstrongswan/utils/identification.c
++++ b/src/libstrongswan/utils/identification.c
+@@ -1335,10 +1335,7 @@ METHOD(identification_t, clone_, identification_t*,
+ 	private_identification_t *clone = malloc_thing(private_identification_t);
+ 
+ 	memcpy(clone, this, sizeof(private_identification_t));
+-	if (this->encoded.len)
+-	{
+-		clone->encoded = chunk_clone(this->encoded);
+-	}
++	clone->encoded = chunk_clone(this->encoded);
+ 	return &clone->public;
+ }
+ 


=====================================
debian/patches/series
=====================================
@@ -13,3 +13,4 @@ dont-load-kernel-libipsec-plugin-by-default.patch
 0013-pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch
 0014-constraints-Case-insensitive-matching-and-reject-exc.patch
 0015-gmp-Avoid-crash-and-timing-leaks-in-PKCS-1-v1.5-decr.patch
+0016-identification-Fix-double-free-when-cloning-empty-ID.patch



View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/ba3f482959648744d08f13419d67565ae7b2db5a...dec76e1deee8f01be22ad851486244dfb2d030b5

-- 
View it on GitLab: https://salsa.debian.org/debian/strongswan/-/compare/ba3f482959648744d08f13419d67565ae7b2db5a...dec76e1deee8f01be22ad851486244dfb2d030b5
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20260608/196ac53f/attachment-0001.htm>

More information about the Pkg-swan-devel mailing list