diff options
| author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2014-12-01 16:12:18 +0100 |
|---|---|---|
| committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2014-12-01 16:12:18 +0100 |
| commit | 7516ea48779dc04ae38d4727daccafad250c6277 (patch) | |
| tree | 039ec595136e6378b1cb727f495e1df6781806c1 | |
| parent | dc964a547f8d38c56d902538f818a40c0bc262b0 (diff) | |
Apply upstream patch to fix CVE-2014-8104
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch | 42 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 50 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index a51dc57..7c0068e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openvpn (2.3.4-5) unstable; urgency=high + + * Apply upstream patch that fixes possible DoS by authenticated + clients. CVE-2014-8104 + + -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 01 Dec 2014 16:10:37 +0100 + openvpn (2.3.4-4) unstable; urgency=medium * Use dh-systemd in order to enable the service unit. diff --git a/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch b/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch new file mode 100644 index 0000000..0c80ee0 --- /dev/null +++ b/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch @@ -0,0 +1,42 @@ +From c5590a6821e37f3b29735f55eb0c2b9c0924138c Mon Sep 17 00:00:00 2001 +From: Steffan Karger <steffan.karger@fox-it.com> +Date: Thu, 20 Nov 2014 13:43:05 +0100 +Subject: [PATCH] Drop too-short control channel packets instead of asserting + out. + +This fixes a denial-of-service vulnerability where an authenticated client +could stop the server by triggering a server-side ASSERT(). + +OpenVPN would previously ASSERT() that control channel packets have a +payload of at least 4 bytes. An authenticated client could trigger this +assert by sending a too-short control channel packet to the server. + +Thanks to Dragana Damjanovic for reporting the issue. + +This bug has been assigned CVE-2014-8104. + +Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> +Acked-by: Gert Doering <gert@greenie.muc.de> +Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local> +Signed-off-by: Gert Doering <gert@greenie.muc.de> +--- + src/openvpn/ssl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: openvpn/src/openvpn/ssl.c +=================================================================== +--- openvpn.orig/src/openvpn/ssl.c 2014-12-01 16:09:43.031080162 +0100 ++++ openvpn/src/openvpn/ssl.c 2014-12-01 16:09:43.027080161 +0100 +@@ -2028,7 +2028,11 @@ + ASSERT (session->opt->key_method == 2); + + /* discard leading uint32 */ +- ASSERT (buf_advance (buf, 4)); ++ if (!buf_advance (buf, 4)) { ++ msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", ++ buf->len); ++ goto error; ++ } + + /* get key method */ + key_method_flags = buf_read_u8 (buf); diff --git a/debian/patches/series b/debian/patches/series index a6f52d3..4017a89 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ accommodate_typo.patch manpage_fixes.patch better_systemd_detection.patch client_connect_tmp_files.patch +0001-Drop-too-short-control-channel-packets-instead-of-as.patch |