Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch strongswan for CVE-2026-25075 [HIGH] - branch 3.0-dev" #16262

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/strongswan/CVE-2026-25075.patch

@@ -0,0 +1,48 @@
+From a4fe712399f0a679f0951c12d3758cf9264f3cdc Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 5 Mar 2026 12:43:12 +0100
+Subject: [PATCH] eap-ttls: Prevent crash if AVP length header field is invalid
+
+The length field in the AVP header includes the 8 bytes of the header
+itself.  Not checking for that and later subtracting it causes an
+integer underflow that usually triggers a crash when accessing a
+NULL pointer that resulted from the failing chunk_alloc() call because
+of the high value.
+
+The attempted allocations for invalid lengths (0-7) are 0xfffffff8,
+0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result
+in a buffer overflow even if the allocation succeeds.
+
+Fixes: 79f2102cb442 ("implemented server side support for EAP-TTLS")
+Fixes: CVE-2026-25075
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://download.strongswan.org/security/CVE-2026-25075/strongswan-4.5.0-6.0.4_eap_ttls_avp_len.patch
+---
+ src/libcharon/plugins/eap_ttls/eap_ttls_avp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+index 06389f7..2983bd0 100644
+--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
++++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
+@@ -119,7 +119,7 @@ METHOD(eap_ttls_avp_t, process, status_t,
+ 		chunk_free(&this->input);
+ 		this->inpos = 0;
+ 
+-		if (!success)
++		if (!success || avp_len < AVP_HEADER_LEN)
+ 		{
+ 			DBG1(DBG_IKE, "received invalid AVP header");
+ 			return FAILED;
+@@ -130,7 +130,7 @@ METHOD(eap_ttls_avp_t, process, status_t,
+ 			return FAILED;
+ 		}
+ 		this->process_header = FALSE;
+-		this->data_len = avp_len - 8;
++		this->data_len = avp_len - AVP_HEADER_LEN;
+ 		this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4);
+ 	}
+ 
+-- 
+2.45.4
+

SPECS/strongswan/strongswan.spec

@@ -12,7 +12,7 @@
 
 Name:           strongswan
 Version:        5.9.14
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 # Automatically converted from old format: GPLv2+ - review is highly recommended.
 License:        GPL-2.0-or-later
@@ -32,6 +32,7 @@ Patch3:         strongswan-6.0.1-gcc15.patch
 Patch4:         strongswan-fix-make-check.patch
 Patch5:         0001-Extending-timeout-for-test-cases-with-multiple-read-.patch
 Patch6:         CVE-2025-62291.patch
+Patch7:         CVE-2026-25075.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -426,6 +427,9 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif
 
 %changelog
+* Tue Mar 24 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.9.14-9
+- Patch for CVE-2026-25075
+
 * Mon Jan 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.9.14-8
 - Patch for CVE-2025-62291