Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch strongswan for CVE-2025-62291 [HIGH] - branch 3.0-dev" #15541

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/strongswan/CVE-2025-62291.patch

@@ -0,0 +1,46 @@
+From ae75a582a276ca4b1f6b9b68fe602f41a6e93109 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 9 Oct 2025 11:33:45 +0200
+Subject: [PATCH] eap-mschapv2: Fix length check for Failure Request packets on
+ the client
+
+For message lengths between 6 and 8, subtracting HEADER_LEN (9) causes
+`message_len` to become negative, which is then used in calls to malloc()
+and memcpy() that both take size_t arguments, causing an integer
+underflow.
+
+For 6 and 7, the huge size requested from malloc() will fail (it exceeds
+PTRDIFF_MAX) and the returned NULL pointer will cause a segmentation
+fault in memcpy().
+
+However, for 8, the allocation is 0, which succeeds.  But then the -1
+passed to memcpy() causes a heap-based buffer overflow (and possibly a
+segmentation fault when attempting to read/write that much data).
+Fortunately, if compiled with -D_FORTIFY_SOURCE=3 (the default on e.g.
+Ubuntu), the compiler will use __memcpy_chk(), which prevents that buffer
+overflow and causes the daemon to get aborted immediately instead.
+
+Fixes: f98cdf7a4765 ("adding plugin for EAP-MS-CHAPv2")
+Fixes: CVE-2025-62291
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://download.strongswan.org/security/CVE-2025-62291/strongswan-4.4.0-6.0.2_eap_mschapv2_failure_request_len.patch
+---
+ src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+index 1bb54c8..9ad509a 100644
+--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
++++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+@@ -974,7 +974,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
+ 	data = in->get_data(in);
+ 	eap = (eap_mschapv2_header_t*)data.ptr;
+ 
+-	if (data.len < 3) /* we want at least an error code: E=e */
++	if (data.len < HEADER_LEN + 3) /* we want at least an error code: E=e */
+ 	{
+ 		DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: too short");
+ 		return FAILED;
+-- 
+2.45.4
+

SPECS/strongswan/strongswan.spec

@@ -12,7 +12,7 @@
 
 Name:           strongswan
 Version:        5.9.14
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 # Automatically converted from old format: GPLv2+ - review is highly recommended.
 License:        GPL-2.0-or-later
@@ -31,6 +31,7 @@ Patch2:         strongswan-6.0.0-gcc15.patch
 Patch3:         strongswan-6.0.1-gcc15.patch
 Patch4:         strongswan-fix-make-check.patch
 Patch5:         0001-Extending-timeout-for-test-cases-with-multiple-read-.patch
+Patch6:         CVE-2025-62291.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -425,6 +426,9 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif
 
 %changelog
+* Mon Jan 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.9.14-8
+- Patch for CVE-2025-62291
+
 * Fri May 23 2025 Mayank Singh <mayansingh@microsoft.com> - 5.9.14-7
 - Initial Azure Linux import from Fedora 42 (license: MIT).
 - License verified