FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

strongswan - Insufficient input validation in RSASSA-PSS signature parser

Affected packages
strongswan = 5.6.1

Details

VuXML ID 6a449a37-1570-11e8-8e00-000c294a5758
Discovery 2018-01-31
Entry 2018-02-19

Strongswan Release Notes reports:

Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function (MGF). Only MGF1 is currently specified for this purpose. However, this in turn takes itself a parameter that specifies the underlying hash function. strongSwan's parser did not correctly handle the case of this parameter being absent, causing an undefined data read. his vulnerability has been registered as CVE-2018-6459.

References

CVE Name CVE-2018-6459
URL https://github.com/strongswan/strongswan/commit/40da179f28b768ffcf6ff7e2f68675eb44806668