!87 Update to 4.15 for fix CVE-2024-3652

From: @wk333 
Reviewed-by: @wu-leilei 
Signed-off-by: @wu-leilei

3000-Add-loongarch64-support.patch

@@ -0,0 +1,42 @@
+From 006551b798d9066ca8cbd3f01b2309329c4ca20c Mon Sep 17 00:00:00 2001
+From: yangchenguang <yangchenguang@kylinsec.com.cn>
+Date: Fri, 12 May 2023 14:38:23 +0800
+Subject: [PATCH] Add loongarch64 support
+
+Signed-off-by: yangchenguang <yangchenguang@kylinsec.com.cn>
+---
+ programs/addconn/addconn.c     | 2 ++
+ programs/pluto/pluto_seccomp.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c
+index 527d5cf..900a6c7 100644
+--- a/programs/addconn/addconn.c
++++ b/programs/addconn/addconn.c
+@@ -99,7 +99,9 @@ static void init_seccomp_addconn(uint32_t def_action, struct logger *logger)
+ 	LSW_SECCOMP_ADD(epoll_pwait);
+ 	LSW_SECCOMP_ADD(exit_group);
+ 	LSW_SECCOMP_ADD(fcntl);
++#ifndef __loongarch64
+ 	LSW_SECCOMP_ADD(fstat);
++#endif
+ 	LSW_SECCOMP_ADD(futex);
+ 	LSW_SECCOMP_ADD(getdents);
+ 	LSW_SECCOMP_ADD(getegid);
+diff --git a/programs/pluto/pluto_seccomp.c b/programs/pluto/pluto_seccomp.c
+index 27b1560..775033f 100644
+--- a/programs/pluto/pluto_seccomp.c
++++ b/programs/pluto/pluto_seccomp.c
+@@ -138,7 +138,9 @@ static void init_seccomp(uint32_t def_action, bool main, struct logger *logger)
+ 	LSW_SECCOMP_ADD(exit);
+ 	LSW_SECCOMP_ADD(exit_group);
+ 	LSW_SECCOMP_ADD(fcntl);
++#ifndef __loongarch64
+ 	LSW_SECCOMP_ADD(fstat);
++#endif
+ 	LSW_SECCOMP_ADD(futex);
+ 	LSW_SECCOMP_ADD(getpid);
+ 	LSW_SECCOMP_ADD(gettid);
+-- 
+2.34.1
+

CVE-2022-23094.patch

@@ -1,26 +0,0 @@
-diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
-index 9f4847874d..f7413f3594 100644
---- a/programs/pluto/ikev1.c
-+++ b/programs/pluto/ikev1.c
-@@ -2103,7 +2103,9 @@ void process_packet_tail(struct msg_digest *md)
- 					diag_t d = pbs_in_struct(&md->message_pbs, &isakmp_ignore_desc,
- 								 &pd->payload, sizeof(pd->payload), &pd->pbs);
- 					if (d != NULL) {
--						llog_diag(RC_LOG, st->st_logger, &d, "%s", "");
-+						llog_diag(RC_LOG,
-+							st != NULL ? st->st_logger : md->md_logger,
-+							&d, "%s", "");
- 						LOG_PACKET(RC_LOG_SERIOUS,
- 							   "%smalformed payload in packet",
- 							   excuse);
-@@ -2172,7 +2174,9 @@ void process_packet_tail(struct msg_digest *md)
- 						 &pd->payload, sizeof(pd->payload),
- 						 &pd->pbs);
- 			if (d != NULL) {
--				llog_diag(RC_LOG, st->st_logger, &d, "%s", "");
-+				llog_diag(RC_LOG,
-+					st != NULL ? st->st_logger : md->md_logger,
-+					&d, "%s", "");
- 				LOG_PACKET(RC_LOG_SERIOUS,
- 					   "%smalformed payload in packet",
- 					   excuse);

CVE-2023-23009.patch

@@ -1,16 +0,0 @@
-diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
-index 3f7519ca38..f06c40ba46 100644
---- a/programs/pluto/ikev2_ts.c
-+++ b/programs/pluto/ikev2_ts.c
-@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
- 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
- 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
- 
-+		if (d != NULL) {
-+			llog_diag(RC_LOG, logger, &d, "%s", "");
-+			return false;
-+		}
-+
- 		switch (ts_h.isath_type) {
- 		case IKEv2_TS_IPV4_ADDR_RANGE:
- 		case IKEv2_TS_IPV6_ADDR_RANGE:

libreswan.spec

@@ -1,4 +1,4 @@
-%global nss_version 3.44.0-8
+%global nss_version 3.52
 %global unbound_version 1.6.6
 %global libreswan_config \\\
     SHELL_BINARY=/usr/bin/sh \\\
@@ -25,19 +25,17 @@
 
 Name: libreswan
 Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support
-Version: 4.5
-Release: 3
-License: GPLv2
+Version: 4.15
+Release: 1
+License: GPL-2.0-only
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{name}-%{version}.tar.gz
 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 Source4: openeuler-libreswan-sysctl.conf
-#https://libreswan.org/security/CVE-2022-23094/
-Patch0:  CVE-2022-23094.patch
-#https://libreswan.org/security/CVE-2023-23009/
-Patch1:  CVE-2023-23009.patch
+
+Patch3000: 3000-Add-loongarch64-support.patch
 
 BuildRequires: audit-libs-devel
 BuildRequires: bison
@@ -107,6 +105,9 @@ sed -i '/config setup/a\\t# Specifies a directory forNSS database files\n\tnssdi
 
 sed -i '/ipsec --checknss/s/$/ --nssdir \/etc\/ipsec.d/' ./initsystems/systemd/ipsec.service.in
 
+linux_variant=`sed -n -e 's/"//g' -e 's/^ID_LIKE=//p' -e 's/^ID=//p' /etc/os-release|tr '\n' ' ' && echo`
+sed -i "s/filter fedora/filter fedora $linux_variant/" mk/defaults/linux.mk
+
 %build
 make %{?_smp_mflags} \
     OPTIMIZE_CFLAGS="%{optflags}" \
@@ -191,6 +192,27 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0644,root,root) %doc %{_mandir}/*/*
 
 %changelog
+* Tue Apr 30 2024 wangkai <13474090681@163.com> - 4.15-1
+- Update to 4.15 for fix CVE-2024-3652
+
+* Tue Mar 26 2024 yaoxin <yao_xin001@hoperun.com> - 4.14-1
+- Upgrade to 4.14 for fix CVE-2024-2357
+
+* Mon Sep 11 2023 penghaitao <htpengc@isoftstone.com> - 4.12-3
+- Fix build error of 3000-Add-loongarch64-support.patch
+
+* Mon Aug 14 2023 suwei <suwei@kylinsec.com.cn> - 4.12-2
+- Add loongarch64 support
+
+* Sat Aug 12 2023 Funda Wang <fundawang@yeah.net> - 4.12-1
+- Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712
+
+* Wed Jun 14 2023 yangbo <yangbo1@xfusion.com> - 4.11-2
+- Fix '\n' of the linux_variant
+
+* Tue May 30 2023 wangkai <13474090681@163.com> - 4.11-1
+- Update to 4.11 for fix CVE-2023-30570
+
 * Tue Mar 07 2023 yaoxin <yaoxin30@h-partners.com> - 4.5-3
 - Fix CVE-2023-23009