Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package strongswan This upload fix two security vulnerabilities in strongSwan, debdiff is attached (sorry, patches are in dos format…) unblock strongswan/5.5.1-4 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru strongswan-5.5.1/debian/changelog strongswan-5.5.1/debian/changelog --- strongswan-5.5.1/debian/changelog 2017-01-16 12:58:26.000000000 +0100 +++ strongswan-5.5.1/debian/changelog 2017-05-29 21:52:41.000000000 +0200 @@ -1,3 +1,17 @@ +strongswan (5.5.1-4) unstable; urgency=high + + * Urgency=high for the security fix. + * debian/patches: + - CVE-2017-9022_insufficient_input_validation_gmp_plugin added, fix + insufficient input validation in gmp plugin which could lead to denial of + service (CVE-2017-9022). + - CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser added, + fix incorrect handling of CHOICE types in ASN.1 parser and x509 plugin + whch could lead to an infinite loop and a denial of service + (CVE-2017-9023). + + -- Yves-Alexis Perez <cor...@debian.org> Mon, 29 May 2017 21:52:41 +0200 + strongswan (5.5.1-3) unstable; urgency=medium [ Christian Ehrhardt ] diff -Nru strongswan-5.5.1/debian/patches/CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch strongswan-5.5.1/debian/patches/CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch --- strongswan-5.5.1/debian/patches/CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch 1970-01-01 01:00:00.000000000 +0100 +++ strongswan-5.5.1/debian/patches/CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch 2017-05-29 19:21:19.000000000 +0200 @@ -0,0 +1,42 @@ +From 1bf67b900fb4955a0b09f3c1cbe1ce7177adbe2f Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tob...@strongswan.org> +Date: Wed, 29 Mar 2017 11:26:24 +0200 +Subject: [PATCH] gmp: Make sure the modulus is odd and the exponent not zero + +Unlike mpz_powm() its secure replacement mpz_powm_sec() has the additional +requirement that the exponent must be > 0 and the modulus has to be odd. +Otherwise, it will crash with a floating-point exception. + +Fixes: CVE-2017-9022 +--- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index 2b2c7f249590..32a72ac9600b 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -475,7 +475,7 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) + } + break; + } +- if (!e.ptr || !n.ptr) ++ if (!e.len || !n.len || (n.ptr[n.len-1] & 0x01) == 0) + { + return NULL; + } +@@ -506,5 +506,10 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) + + this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE; + ++ if (!mpz_sgn(this->e)) ++ { ++ destroy(this); ++ return NULL; ++ } + return &this->public; + } +-- +1.9.1 + + \ No newline at end of file diff -Nru strongswan-5.5.1/debian/patches/CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch strongswan-5.5.1/debian/patches/CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch --- strongswan-5.5.1/debian/patches/CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch 1970-01-01 01:00:00.000000000 +0100 +++ strongswan-5.5.1/debian/patches/CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch 2017-05-29 19:21:19.000000000 +0200 @@ -0,0 +1,376 @@ +From e3d4fe2be3bda0d9acc985a6cd67efe249d8326c Mon Sep 17 00:00:00 2001 +From: Andreas Steffen <andreas.stef...@strongswan.org> +Date: Fri, 5 May 2017 09:01:08 +0200 +Subject: [PATCH] asn1-parser: Fix CHOICE parsing + +Also fixes the application in the x509 plugin and the parsing of +nameConstraints, which doesn't require a loop. + +Fixes: CVE-2017-9023 +--- + src/libstrongswan/asn1/asn1_parser.c | 70 +++++++++++++++--- + src/libstrongswan/asn1/asn1_parser.h | 27 +++---- + src/libstrongswan/plugins/x509/x509_cert.c | 115 +++++++++++++++-------------- + 3 files changed, 135 insertions(+), 77 deletions(-) + +diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c +index e7b7a428d9a2..4d5f799b73a9 100644 +--- a/src/libstrongswan/asn1/asn1_parser.c ++++ b/src/libstrongswan/asn1/asn1_parser.c +@@ -1,8 +1,7 @@ + /* + * Copyright (C) 2006 Martin Will +- * Copyright (C) 2000-2008 Andreas Steffen +- * +- * Hochschule fuer Technik Rapperswil ++ * Copyright (C) 2000-2017 Andreas Steffen ++ * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -76,12 +75,18 @@ struct private_asn1_parser_t { + * Current parsing pointer for each level + */ + chunk_t blobs[ASN1_MAX_LEVEL + 2]; ++ ++ /** ++ * Parsing a CHOICE on the current level ? ++ */ ++ bool choice[ASN1_MAX_LEVEL + 2]; ++ + }; + + METHOD(asn1_parser_t, iterate, bool, + private_asn1_parser_t *this, int *objectID, chunk_t *object) + { +- chunk_t *blob, *blob1; ++ chunk_t *blob, *blob1, blob_ori; + u_char *start_ptr; + u_int level; + asn1Object_t obj; +@@ -97,7 +102,7 @@ METHOD(asn1_parser_t, iterate, bool, + return FALSE; + } + +- if (obj.flags & ASN1_END) /* end of loop or option found */ ++ if (obj.flags & ASN1_END) /* end of loop or choice or option found */ + { + if (this->loopAddr[obj.level] && this->blobs[obj.level+1].len > 0) + { +@@ -106,13 +111,42 @@ METHOD(asn1_parser_t, iterate, bool, + } + else + { +- this->loopAddr[obj.level] = 0; /* exit loop or option*/ ++ this->loopAddr[obj.level] = 0; /* exit loop */ ++ ++ if (obj.flags & ASN1_CHOICE) /* end of choices */ ++ { ++ if (this->choice[obj.level+1]) ++ { ++ DBG1(DBG_ASN, "L%d - %s: incorrect choice encoding", ++ this->level0 + obj.level, obj.name); ++ this->success = FALSE; ++ goto end; ++ } ++ } ++ ++ if (obj.flags & ASN1_CH) /* end of choice */ ++ { ++ /* parsed a valid choice */ ++ this->choice[obj.level] = FALSE; ++ ++ /* advance to end of choices */ ++ do ++ { ++ this->line++; ++ } ++ while (!((this->objects[this->line].flags & ASN1_END) && ++ (this->objects[this->line].flags & ASN1_CHOICE) && ++ (this->objects[this->line].level == obj.level-1))); ++ this->line--; ++ } ++ + goto end; + } + } + + level = this->level0 + obj.level; + blob = this->blobs + obj.level; ++ blob_ori = *blob; + blob1 = blob + 1; + start_ptr = blob->ptr; + +@@ -129,7 +163,6 @@ METHOD(asn1_parser_t, iterate, bool, + } + + /* handle ASN.1 options */ +- + if ((obj.flags & ASN1_OPT) + && (blob->len == 0 || *start_ptr != obj.type)) + { +@@ -144,7 +177,6 @@ METHOD(asn1_parser_t, iterate, bool, + } + + /* an ASN.1 object must possess at least a tag and length field */ +- + if (blob->len < 2) + { + DBG1(DBG_ASN, "L%d - %s: ASN.1 object smaller than 2 octets", +@@ -167,8 +199,16 @@ METHOD(asn1_parser_t, iterate, bool, + blob->ptr += blob1->len; + blob->len -= blob1->len; + +- /* return raw ASN.1 object without prior type checking */ ++ /* handle ASN.1 choice without explicit context encoding */ ++ if ((obj.flags & ASN1_CHOICE) && obj.type == ASN1_EOC) ++ { ++ DBG2(DBG_ASN, "L%d - %s:", level, obj.name); ++ this->choice[obj.level+1] = TRUE; ++ *blob1 = blob_ori; ++ goto end; ++ } + ++ /* return raw ASN.1 object without prior type checking */ + if (obj.flags & ASN1_RAW) + { + DBG2(DBG_ASN, "L%d - %s:", level, obj.name); +@@ -209,6 +249,18 @@ METHOD(asn1_parser_t, iterate, bool, + } + } + ++ /* In case of a "CHOICE" start to scan for exactly one valid choice */ ++ if (obj.flags & ASN1_CHOICE) ++ { ++ if (blob1->len == 0) ++ { ++ DBG1(DBG_ASN, "L%d - %s: contains no choice", level, obj.name); ++ this->success = FALSE; ++ goto end; ++ } ++ this->choice[obj.level+1] = TRUE; ++ } ++ + if (obj.flags & ASN1_OBJ) + { + object->ptr = start_ptr; +diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h +index 0edc22c2378c..2ee1e892fc16 100644 +--- a/src/libstrongswan/asn1/asn1_parser.h ++++ b/src/libstrongswan/asn1/asn1_parser.h +@@ -1,8 +1,7 @@ + /* + * Copyright (C) 2006 Martin Will +- * Copyright (C) 2000-2008 Andreas Steffen +- * +- * Hochschule fuer Technik Rapperswil ++ * Copyright (C) 2000-2017 Andreas Steffen ++ * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -32,15 +31,17 @@ + /** + * Definition of ASN.1 flags + */ +-#define ASN1_NONE 0x00 +-#define ASN1_DEF 0x01 +-#define ASN1_OPT 0x02 +-#define ASN1_LOOP 0x04 +-#define ASN1_END 0x08 +-#define ASN1_OBJ 0x10 +-#define ASN1_BODY 0x20 +-#define ASN1_RAW 0x40 +-#define ASN1_EXIT 0x80 ++#define ASN1_NONE 0x0000 ++#define ASN1_DEF 0x0001 ++#define ASN1_OPT 0x0002 ++#define ASN1_LOOP 0x0004 ++#define ASN1_CHOICE 0x0008 ++#define ASN1_CH 0x0010 ++#define ASN1_END 0x0020 ++#define ASN1_OBJ 0x0040 ++#define ASN1_BODY 0x0080 ++#define ASN1_RAW 0x0100 ++#define ASN1_EXIT 0x0200 + + typedef struct asn1Object_t asn1Object_t; + +@@ -51,7 +52,7 @@ struct asn1Object_t{ + u_int level; + const u_char *name; + asn1_t type; +- u_char flags; ++ uint16_t flags; + }; + + typedef struct asn1_parser_t asn1_parser_t; +diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c +index b3d90c5f61ef..f9573e953cbf 100644 +--- a/src/libstrongswan/plugins/x509/x509_cert.c ++++ b/src/libstrongswan/plugins/x509/x509_cert.c +@@ -2,10 +2,10 @@ + * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann + * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss + * Copyright (C) 2002 Mario Strasser +- * Copyright (C) 2000-2006 Andreas Steffen ++ * Copyright (C) 2000-2017 Andreas Steffen + * Copyright (C) 2006-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner +- * Hochschule fuer Technik Rapperswil ++ * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -789,20 +789,20 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0, + * ASN.1 definition of crlDistributionPoints + */ + static const asn1Object_t crlDistributionPointsObjects[] = { +- { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ +- { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ +- { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */ +- { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */ +- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */ +- { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */ +- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */ +- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */ +- { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ +- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ +- { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ +- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ +- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ +- { 0, "exit", ASN1_EOC, ASN1_EXIT } ++ { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ ++ { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ ++ { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_CHOICE }, /* 2 */ ++ { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */ ++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 4 */ ++ { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */ ++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 6 */ ++ { 2, "end opt/choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 7 */ ++ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ ++ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ ++ { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ ++ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ ++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ ++ { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; + #define CRL_DIST_POINTS 1 + #define CRL_DIST_POINTS_FULLNAME 3 +@@ -910,14 +910,13 @@ end: + * ASN.1 definition of nameConstraints + */ + static const asn1Object_t nameConstraintsObjects[] = { +- { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ ++ { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */ + { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */ + { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */ + { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ +- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; + #define NAME_CONSTRAINT_PERMITTED 2 +@@ -974,25 +973,27 @@ end: + * ASN.1 definition of a certificatePolicies extension + */ + static const asn1Object_t certificatePoliciesObject[] = { +- { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ +- { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ +- { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */ +- { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */ +- { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */ +- { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */ +- { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */ +- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ +- { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */ +- { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */ +- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */ +- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */ +- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */ +- { 0, "exit", ASN1_EOC, ASN1_EXIT } ++ { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ ++ { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ ++ { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */ ++ { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */ ++ { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */ ++ { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */ ++ { 4, "qualifier", ASN1_EOC, ASN1_CHOICE }, /* 6 */ ++ { 5, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 7 */ ++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 8 */ ++ { 5, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 9 */ ++ { 6, "explicitText", ASN1_EOC, ASN1_RAW }, /* 10 */ ++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 11 */ ++ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 12 */ ++ { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 13 */ ++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 14 */ ++ { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; +-#define CERT_POLICY_ID 2 +-#define CERT_POLICY_QUALIFIER_ID 5 +-#define CERT_POLICY_CPS_URI 6 +-#define CERT_POLICY_EXPLICIT_TEXT 9 ++#define CERT_POLICY_ID 2 ++#define CERT_POLICY_QUALIFIER_ID 5 ++#define CERT_POLICY_CPS_URI 7 ++#define CERT_POLICY_EXPLICIT_TEXT 10 + + /** + * Parse certificatePolicies +@@ -1157,27 +1158,31 @@ static bool parse_policyConstraints(chunk_t blob, int level0, + * ASN.1 definition of ipAddrBlocks according to RFC 3779 + */ + static const asn1Object_t ipAddrBlocksObjects[] = { +- { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ +- { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ +- { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */ +- { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */ +- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */ +- { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */ +- { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */ +- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ +- { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */ +- { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */ +- { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */ +- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */ +- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */ +- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */ +- { 0, "exit", ASN1_EOC, ASN1_EXIT } ++ { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ ++ { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ ++ { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */ ++ { 2, "ipAddressChoice", ASN1_EOC, ASN1_CHOICE }, /* 3 */ ++ { 3, "inherit", ASN1_NULL, ASN1_OPT }, /* 4 */ ++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 5 */ ++ { 3, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 6 */ ++ { 4, "addressOrRange", ASN1_EOC, ASN1_CHOICE }, /* 7 */ ++ { 5, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 8 */ ++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 9 */ ++ { 5, "addressRange", ASN1_SEQUENCE, ASN1_OPT }, /* 10 */ ++ { 6, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 11 */ ++ { 6, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 12 */ ++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 13 */ ++ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 14 */ ++ { 3, "end loop/choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 15 */ ++ { 2, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 16 */ ++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 17 */ ++ { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; + #define IP_ADDR_BLOCKS_FAMILY 2 +-#define IP_ADDR_BLOCKS_INHERIT 3 +-#define IP_ADDR_BLOCKS_PREFIX 6 +-#define IP_ADDR_BLOCKS_MIN 9 +-#define IP_ADDR_BLOCKS_MAX 10 ++#define IP_ADDR_BLOCKS_INHERIT 4 ++#define IP_ADDR_BLOCKS_PREFIX 8 ++#define IP_ADDR_BLOCKS_MIN 11 ++#define IP_ADDR_BLOCKS_MAX 12 + + static bool check_address_object(ts_type_t ts_type, chunk_t object) + { +-- +1.9.1 + + \ No newline at end of file diff -Nru strongswan-5.5.1/debian/patches/series strongswan-5.5.1/debian/patches/series --- strongswan-5.5.1/debian/patches/series 2016-10-20 16:21:32.000000000 +0200 +++ strongswan-5.5.1/debian/patches/series 2017-05-29 21:40:35.000000000 +0200 @@ -1,3 +1,5 @@ 01_fix-manpages.patch 03_systemd-service.patch 04_disable-libtls-tests.patch +CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch +CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch