Resolves: rhbz#048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6

Fix changelog entry Include upstream patch link
2022-03-07 12:19:35 +01:00
7 changed files with 121 additions and 160 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,15 +7,4 @@
 /948F158A4E76A27BF3D07532DF42C170B34DBA77
 /strongswan-5.9.5.tar.bz2
 /strongswan-5.9.5.tar.bz2.sig
-/strongswan-5.9.6.tar.bz2
-/strongswan-5.9.6.tar.bz2.sig
-/strongswan-5.9.8.tar.bz2
-/strongswan-5.9.8.tar.bz2.sig
-/strongswan-5.9.9.tar.bz2
-/strongswan-5.9.9.tar.bz2.sig
-/strongswan-5.9.10.tar.bz2
-/strongswan-5.9.10.tar.bz2.sig
-/strongswan-5.9.11.tar.bz2
-/strongswan-5.9.11.tar.bz2.sig
-/strongswan-5.9.14.tar.bz2
-/strongswan-5.9.14.tar.bz2.sig
+/STRONGSWAN-RELEASE-PGP-KEY
--- a/48
+++ b/48
@@ -1,48 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
-ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
-C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
-hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
-SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
-Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
-iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
-oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
-pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
-ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
-AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
-GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
-wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
-1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
-thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
-fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
-/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
-MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
-iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
-KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
-8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
-wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
-IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
-R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
-pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
-56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
-w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
-Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
-xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
-jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
-lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
-lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
-ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
-TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
-M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
-GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
-kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
-W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
-MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
-Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
-+M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
-u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
-CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
-b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
-=ze82
-----END PGP PUBLIC KEY BLOCK-----
--- a/5
+++ b/5
@@ -1,2 +1,3 @@
-SHA512 (strongswan-5.9.14.tar.bz2) = e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6
-SHA512 (strongswan-5.9.14.tar.bz2.sig) = 1b3d57448caab91060fe3d209d90708c57dbf35ae62c97574107b32677cff73f13f7545dc91682ef84400bb8a2f105a1761aba8334763dc8c35d97be7921c242
+SHA512 (strongswan-5.9.5.tar.bz2.sig) = 377889158484968d33b70a2a8ae149432191bc4614a2c5c3865eea1170bee1bae8ccf844d41ea5b4a087d300cc0967cba3aec6255c33976be060022871e094c5
+SHA512 (strongswan-5.9.5.tar.bz2) = 3b11c4edb1ffccf0ea5b8b843acfe2eb18dcd3857fc2818b8481c4febe7959261e1b2804c3af29068319df469fa0b784682d3ba4d49a3eb580841ff3c34e33a1
+SHA512 (STRONGSWAN-RELEASE-PGP-KEY) = 2803ebc9bdbbe88e19b75130ad9cc36af730fd3d0c9055665da99ce9b831ce518b0083f98389e6fb9b00dd62da28fcbb03df5dbf899df52b59d49c6bd34c6d37
--- a/strongswan-5.9.4-test-socket.patch
+++ b/strongswan-5.9.4-test-socket.patch
@@ -0,0 +1,31 @@
+From 377039d24648f82dac35dcf22a2b43de81f2fb96 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 11 Nov 2021 05:48:38 +0100
+Subject: [PATCH] Skip test case, which always hangs
+
+It just stops and does not continue. Avoid that test.
+---
+ src/libtls/tests/suites/test_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 9e26e91..5296680 100644
+--- a/src/libtls/tests/suites/test_socket.c
+++ b/src/libtls/tests/suites/test_socket.c
+@@ -804,11 +804,13 @@ Suite *socket_suite_create()
+ 	add_tls_versions_test(test_tls_12_server, TLS_1_0, TLS_1_3);
+ 	suite_add_tcase(s, tc);
+ 
+#if 0
+ 	tc = tcase_create("TLS 1.3/key exchange groups");
+ 	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ 	tcase_add_loop_test(tc, test_tls13_ke_groups, 0,
+ 						tls_crypto_get_supported_groups(NULL));
+ 	suite_add_tcase(s, tc);
+#endif
+ 
+ 	tc = tcase_create("TLS 1.3/signature schemes");
+ 	tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds);
+-- 
+2.31.1
+
--- a/strongswan-5.9.5-atexit-handlers.patch
+++ b/strongswan-5.9.5-atexit-handlers.patch
@@ -0,0 +1,71 @@
+--- strongswan-5.9.5-orig/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-01-08 12:54:02.000000000 +0100
+++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-02-23 23:12:03.685111475 +0100
+@@ -16,7 +16,6 @@
+ 
+ #include <library.h>
+ #include <utils/debug.h>
+-#include <collections/array.h>
+ #include <threading/thread.h>
+ #include <threading/mutex.h>
+ #include <threading/thread_value.h>
+@@ -74,13 +73,6 @@
+ 	 * public functions
+ 	 */
+ 	openssl_plugin_t public;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	/**
+-	 * Loaded providers
+-	 */
+-	array_t *providers;
+-#endif
+ };
+ 
+ /**
+@@ -881,21 +873,12 @@
+ #endif
+ 	}
+ 	*features = f;
+-	return countof(f);
+	return count;
+ }
+ 
+ METHOD(plugin_t, destroy, void,
+ 	private_openssl_plugin_t *this)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	OSSL_PROVIDER *provider;
+-	while (array_remove(this->providers, ARRAY_TAIL, &provider))
+-	{
+-		OSSL_PROVIDER_unload(provider);
+-	}
+-	array_destroy(this->providers);
+-#endif /* OPENSSL_VERSION_NUMBER */
+-
+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
+  * can't call it as we couldn't re-initialize the library (as required by the
+  * unit tests and the Android app) */
+@@ -1009,20 +992,16 @@
+ 			DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ 			return NULL;
+ 		}
+-		array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ 		/* explicitly load the base provider containing encoding functions */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "base"));
+		OSSL_PROVIDER_load(NULL, "base");
+ 	}
+ 	else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ 									 TRUE, lib->ns))
+ 	{
+ 		/* load the legacy provider for algorithms like MD4, DES, BF etc. */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "legacy"));
+		OSSL_PROVIDER_load(NULL, "legacy");
+ 		/* explicitly load the default provider, as mentioned by crypto(7) */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "default"));
+		OSSL_PROVIDER_load(NULL, "default");
+ 	}
+ 	ossl_provider_names_t data = {};
+ 	OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);
--- a/strongswan-5.9.7-error-no-format.patch
+++ b/strongswan-5.9.7-error-no-format.patch
@@ -1,12 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index f9e6e55c2..247d055d8 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -1480,7 +1480,6 @@ else
- fi
- # disable some warnings, whether explicitly enabled above or by default
- # these are not compatible with our custom printf specifiers
-WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
- WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
- # we generally use comments, but GCC doesn't seem to recognize many of them
- WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -12,46 +12,38 @@
 %bcond_with tss_trousers
 %endif

-%global forgeurl0 https://github.com/strongswan/strongswan
-
 Name:           strongswan
-Version:        5.9.14
-Release:        5%{?dist}
+Version:        5.9.5
+Release:        3%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
-# Automatically converted from old format: GPLv2+ - review is highly recommended.
-License:        GPL-2.0-or-later
-URL:            https://www.strongswan.org/
-VCS:            git:%{forgeurl0}
-Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
-Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
+License:        GPLv2+
+URL:            http://www.strongswan.org/
+Source0:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source1:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
 Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
 Source3:        tmpfiles-strongswan.conf
 Patch0:         strongswan-5.6.0-uintptr_t.patch
-# https://github.com/strongswan/strongswan/issues/1198
-Patch1:         strongswan-5.9.7-error-no-format.patch
+# https://git.strongswan.org/?p=strongswan.git;a=commit;h=3eecd40cec6415fc033f8d9141ab652047e71524
+Patch1:         strongswan-5.9.5-atexit-handlers.patch
+
+# only needed for pre-release versions
+#BuildRequires:  autoconf automake

-BuildRequires:  autoconf
-BuildRequires:  automake
 BuildRequires:  gnupg2
 BuildRequires:  make
 BuildRequires:  gcc
-BuildRequires:  systemd
 BuildRequires:  systemd-devel
-BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
-%if 0%{?fedora} >= 41
-# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
-BuildRequires:  openssl-devel-engine
-%endif
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
+BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
 BuildRequires:  libcap-devel
 BuildRequires:  tpm2-tss-devel
@@ -64,7 +56,7 @@ BuildRequires:  python3-pytest
 %endif

 %if %{with perl}
-BuildRequires:  perl-devel perl-generators
+BuildRequires:  perl-devel perl-macros
 BuildRequires:  perl(ExtUtils::MakeMaker)
 %endif

@@ -224,6 +216,8 @@ for Strongswan runtime configuration from perl applications.
    --enable-imv-attestation \
    --enable-imv-os \
    --enable-imc-os \
+    --enable-imc-swid \
+    --enable-imv-swid \
    --enable-imc-swima \
    --enable-imv-swima \
    --enable-imc-hcd \
@@ -260,9 +254,6 @@ for p in bypass-lan; do
    echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done

-# ensure manual page is regenerated with local configuration
-rm -f src/ipsec/_ipsec.8
-
 %make_build

 pushd src/libcharon/plugins/vici
@@ -421,68 +412,6 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif

 %changelog
-* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
-
-* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
- convert license to SPDX
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
- Rebuilt for Python 3.13
-
-* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
- Resolves: rhbz#2214186 strongswan-5.9.11 is available
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
- Rebuilt for Python 3.12
-
-* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
- Update to 5.9.10
-
-* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
-
-* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
- Use configure paths in manual pages (#2106120)
-
-* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
- Update to 5.9.9 (#2157850)
-
-* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
- Add BR perl-generators to automatically generates run-time dependencies
-  for installed Perl files
-
-* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
- Resolves rhbz#2112274 strongswan-5.9.8 is available
- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
- Add BuildRequire for autoconf and automake, now required for release
- Remove obsolete patches
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
- Resolves rhbz#2080070 strongswan-5.9.6 is available
- Fixed missing format string in enum_flags_to_string()
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
- Rebuilt for Python 3.11
-
 * Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
 - Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6