diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2017-06-22 18:00:56 +0200 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2017-06-29 21:26:15 +0200 |
commit | 3637e1aa7ac62f0bba5e9a196e42f22cb93a498b (patch) | |
tree | f5d7f0d119dc6cf7bc09152b7d66ea7592b432ea | |
parent | d73f7253d939e293abf9e27b4b7f37df1ec12a39 (diff) |
Import Debian changes 2.4.0-6+deb9u1debian/2.4.0-6+deb9u1
openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high
* SECURITY UPDATE: (Closes: #865480)
- CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6
packet.
- CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a
crash for invalid input data.
- CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username.
- CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks.
-rw-r--r-- | debian/changelog | 12 | ||||
-rw-r--r-- | debian/patches/CVE-2017-7508.patch | 57 | ||||
-rw-r--r-- | debian/patches/CVE-2017-7520.patch | 55 | ||||
-rw-r--r-- | debian/patches/CVE-2017-7521.patch | 48 | ||||
-rw-r--r-- | debian/patches/CVE-2017-7521bis.patch | 74 | ||||
-rw-r--r-- | debian/patches/series | 4 |
6 files changed, 250 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 3de80ab..0f96932 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high + + * SECURITY UPDATE: (Closes: #865480) + - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 + packet. + - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a + crash for invalid input data. + - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. + - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. + + -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 22 Jun 2017 18:00:56 +0200 + openvpn (2.4.0-6) unstable; urgency=medium * Apply upstream patch to fix shrinking MTU sizes on reconnects causing not diff --git a/debian/patches/CVE-2017-7508.patch b/debian/patches/CVE-2017-7508.patch new file mode 100644 index 0000000..6ba80ac --- /dev/null +++ b/debian/patches/CVE-2017-7508.patch @@ -0,0 +1,57 @@ +commit ed28cde3d8bf3f1459b2f42f0e27d64801009f92 +Author: Gert Doering <gert@greenie.muc.de> +Date: Tue Jun 13 22:08:32 2017 +0200 + + Fix remotely-triggerable ASSERT() on malformed IPv6 packet. + + Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(), + and change the ASSERT() check in mss_fixup_dowork() into a simple + "return" (= the TCP header will simply not be inspected further). + + CVE-2017-7508 has been assigned due to the serious nature of the + bug: it can be used to remotely shutdown an openvpn server or + client, if IPv6 and --mssfix are enabled and the IPv6 networks used + inside the VPN are known. + + Found by Guido Vranken <guidovranken@gmail.com>. + + v2: style changes + + CVE: 2017-7508 + Signed-off-by: Gert Doering <gert@greenie.muc.de> + Acked-by: Steffan Karger <steffan.karger@fox-it.com> + Message-Id: <20170613200832.15027-1-gert@greenie.muc.de> + URL: https://www.mail-archive.com/search?l=mid&q=20170613200832.15027-1-gert@greenie.muc.de + Signed-off-by: Gert Doering <gert@greenie.muc.de> + (cherry picked from commit c3f47077a7756de5929094569421a95aa66f2022) + +Index: openvpn-2.4.0/src/openvpn/mss.c +=================================================================== +--- openvpn-2.4.0.orig/src/openvpn/mss.c ++++ openvpn-2.4.0/src/openvpn/mss.c +@@ -120,8 +120,12 @@ mss_fixup_ipv6(struct buffer *buf, int m + return; + } + ++ /* skip IPv6 header (40 bytes), ++ * verify remainder is large enough to contain a full TCP header ++ */ + newbuf = *buf; +- if (buf_advance( &newbuf, 40 ) ) ++ if (buf_advance( &newbuf, 40 ) ++ && BLEN(&newbuf) >= (int) sizeof(struct openvpn_tcphdr)) + { + struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); + if (tc->flags & OPENVPN_TCPH_SYN_MASK) +@@ -145,7 +149,10 @@ mss_fixup_dowork(struct buffer *buf, uin + int accumulate; + struct openvpn_tcphdr *tc; + +- ASSERT(BLEN(buf) >= (int) sizeof(struct openvpn_tcphdr)); ++ if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr)) ++ { ++ return; ++ } + + verify_align_4(buf); + tc = (struct openvpn_tcphdr *) BPTR(buf); diff --git a/debian/patches/CVE-2017-7520.patch b/debian/patches/CVE-2017-7520.patch new file mode 100644 index 0000000..2152517 --- /dev/null +++ b/debian/patches/CVE-2017-7520.patch @@ -0,0 +1,55 @@ +commit 043fe327878eba75efa13794c9845f85c3c629f2 +Author: Guido Vranken <guidovranken@gmail.com> +Date: Fri May 19 14:04:25 2017 +0200 + + Prevent two kinds of stack buffer OOB reads and a crash for invalid input data + + Pre-authentication remote crash/information disclosure for clients + + If clients use a HTTP proxy with NTLM authentication (i.e. + "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"), + a man-in-the-middle attacker between the client and the proxy can + cause the client to crash or disclose at most 96 bytes of stack + memory. The disclosed stack memory is likely to contain the proxy + password. + + If the proxy password is not reused, this is unlikely to compromise + the security of the OpenVPN tunnel itself. Clients who do not use + the --http-proxy option with ntlm2 authentication are not affected. + + CVE: 2017-7520 + Signed-off-by: Guido Vranken <guidovranken@gmail.com> + Acked-by: Gert Doering <gert@greenie.muc.de> + Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com> + URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com + Signed-off-by: Gert Doering <gert@greenie.muc.de> + (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77) + +Index: openvpn-2.4.0/src/openvpn/ntlm.c +=================================================================== +--- openvpn-2.4.0.orig/src/openvpn/ntlm.c ++++ openvpn-2.4.0/src/openvpn/ntlm.c +@@ -193,7 +193,7 @@ ntlm_phase_3(const struct http_proxy_inf + */ + + char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */ +- char buf2[128]; /* decoded reply from proxy */ ++ unsigned char buf2[128]; /* decoded reply from proxy */ + unsigned char phase3[464]; + + char md4_hash[MD4_DIGEST_LENGTH+5]; +@@ -299,7 +299,13 @@ ntlm_phase_3(const struct http_proxy_inf + tib_len = 96; + } + { +- char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ ++ char *tib_ptr; ++ int tib_pos = buf2[0x2c]; ++ if (tib_pos + tib_len > sizeof(buf2)) ++ { ++ return NULL; ++ } ++ tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */ + memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ + } + } diff --git a/debian/patches/CVE-2017-7521.patch b/debian/patches/CVE-2017-7521.patch new file mode 100644 index 0000000..574ab4b --- /dev/null +++ b/debian/patches/CVE-2017-7521.patch @@ -0,0 +1,48 @@ +commit 040084067119dd5a9e15eb3bcfc0079debaa3777 +Author: Steffan Karger <steffan.karger@fox-it.com> +Date: Mon Jun 19 11:28:40 2017 +0200 + + Fix potential double-free in --x509-alt-username (CVE-2017-7521) + + We didn't check the return value of ASN1_STRING_to_UTF8() in + extract_x509_extension(). Ignoring such a failure could result in buf + being free'd twice. An error in ASN1_STRING_to_UTF8() can be caused + remotely if the peer can make the local process run out of memory. + + The problem can only be triggered for configurations that use the + --x509-alt-username option with an x509 extension (i.e. the option + parameter starts with "ext:"). + + This issue was discovered, analysed and reported to the OpenVPN team by + Guido Vranken. + + Extensive testing by Guido Vranken gives confidence that this function + is very unlikely to fail in real-world usage (using subjectAltName or + issuerAltName extensions) for other reasons than memory exhaustion. + + CVE: 2017-7521 + Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> + Acked-by: Gert Doering <gert@greenie.muc.de> + Acked-by: David Sommerseth <davids@openvpn.net> + Acked-by: Guido Vranken <guidovranken@gmail.com> + Message-Id: <1497864520-12219-6-git-send-email-steffan.karger@fox-it.com> + URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-6-git-send-email-steffan.karger@fox-it.com + Signed-off-by: Gert Doering <gert@greenie.muc.de> + (cherry picked from commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b) + +Index: openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c +=================================================================== +--- openvpn-2.4.0.orig/src/openvpn/ssl_verify_openssl.c ++++ openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c +@@ -142,7 +142,10 @@ extract_x509_extension(X509 *cert, char + switch (name->type) + { + case GEN_EMAIL: +- ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5); ++ if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0) ++ { ++ continue; ++ } + if (strlen(buf) != name->d.ia5->length) + { + msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero"); diff --git a/debian/patches/CVE-2017-7521bis.patch b/debian/patches/CVE-2017-7521bis.patch new file mode 100644 index 0000000..8f242f8 --- /dev/null +++ b/debian/patches/CVE-2017-7521bis.patch @@ -0,0 +1,74 @@ +commit 2341f716198fa90193e040b3fdb16959a47c6c27 +Author: Steffan Karger <steffan.karger@fox-it.com> +Date: Mon Jun 19 11:28:38 2017 +0200 + + Fix remote-triggerable memory leaks (CVE-2017-7521) + + Several of our OpenSSL-specific certificate-parsing code paths did not + always clear all allocated memory. Since a client can cause a few bytes + of memory to be leaked for each connection attempt, a client can cause a + server to run out of memory and thereby kill the server. That makes this + a (quite inefficient) DoS attack. + + When using the --x509-alt-username option on openssl builds with an + extension (argument prefixed with "ext:", e.g. "ext:subjectAltName"), the + code would not free all allocated memory. Fix this by using the proper + free function. + + If ASN1_STRING_to_UTF8() returns 0, it didn't fail and *did* allocate + memory. So also free the returned buffer if it returns 0. + + These issues were found, analysed and reported to the OpenVPN team by Guido + Vranken. + + CVE: 2017-7521 + Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> + Acked-by: Gert Doering <gert@greenie.muc.de> + Acked-by: David Sommerseth <davids@openvpn.net> + Acked-by: Guido Vranken <guidovranken@gmail.com> + Message-Id: <1497864520-12219-4-git-send-email-steffan.karger@fox-it.com> + URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-4-git-send-email-steffan.karger@fox-it.com + Signed-off-by: Gert Doering <gert@greenie.muc.de> + (cherry picked from commit 2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d) + +Index: openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c +=================================================================== +--- openvpn-2.4.0.orig/src/openvpn/ssl_verify_openssl.c ++++ openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c +@@ -165,7 +165,7 @@ extract_x509_extension(X509 *cert, char + break; + } + } +- sk_GENERAL_NAME_free(extensions); ++ GENERAL_NAMES_free(extensions); + } + return retval; + } +@@ -218,8 +218,7 @@ extract_x509_field_ssl(X509_NAME *x509, + { + return FAILURE; + } +- tmp = ASN1_STRING_to_UTF8(&buf, asn1); +- if (tmp <= 0) ++ if (ASN1_STRING_to_UTF8(&buf, asn1) < 0) + { + return FAILURE; + } +@@ -460,7 +459,7 @@ x509_setenv_track(const struct x509_trac + ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); + unsigned char *buf; + buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ +- if (ASN1_STRING_to_UTF8(&buf, val) > 0) ++ if (ASN1_STRING_to_UTF8(&buf, val) >= 0) + { + do_setenv_x509(es, xt->name, (char *)buf, depth); + OPENSSL_free(buf); +@@ -548,7 +547,7 @@ x509_setenv(struct env_set *es, int cert + continue; + } + buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ +- if (ASN1_STRING_to_UTF8(&buf, val) <= 0) ++ if (ASN1_STRING_to_UTF8(&buf, val) < 0) + { + continue; + } diff --git a/debian/patches/series b/debian/patches/series index 907dc15..a83cda1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,7 @@ CVE-2017-7479-prereq.patch CVE-2017-7479.patch wipe_tokens_on_de-auth.patch upstream-issue-879.patch +CVE-2017-7508.patch +CVE-2017-7520.patch +CVE-2017-7521.patch +CVE-2017-7521bis.patch |