summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2014-12-01 16:12:18 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2014-12-01 16:12:18 +0100
commit7516ea48779dc04ae38d4727daccafad250c6277 (patch)
tree039ec595136e6378b1cb727f495e1df6781806c1
parentdc964a547f8d38c56d902538f818a40c0bc262b0 (diff)
Apply upstream patch to fix CVE-2014-8104
-rw-r--r--debian/changelog7
-rw-r--r--debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch42
-rw-r--r--debian/patches/series1
3 files changed, 50 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index a51dc57..7c0068e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openvpn (2.3.4-5) unstable; urgency=high
+
+ * Apply upstream patch that fixes possible DoS by authenticated
+ clients. CVE-2014-8104
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 01 Dec 2014 16:10:37 +0100
+
openvpn (2.3.4-4) unstable; urgency=medium
* Use dh-systemd in order to enable the service unit.
diff --git a/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch b/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch
new file mode 100644
index 0000000..0c80ee0
--- /dev/null
+++ b/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch
@@ -0,0 +1,42 @@
+From c5590a6821e37f3b29735f55eb0c2b9c0924138c Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan.karger@fox-it.com>
+Date: Thu, 20 Nov 2014 13:43:05 +0100
+Subject: [PATCH] Drop too-short control channel packets instead of asserting
+ out.
+
+This fixes a denial-of-service vulnerability where an authenticated client
+could stop the server by triggering a server-side ASSERT().
+
+OpenVPN would previously ASSERT() that control channel packets have a
+payload of at least 4 bytes. An authenticated client could trigger this
+assert by sending a too-short control channel packet to the server.
+
+Thanks to Dragana Damjanovic for reporting the issue.
+
+This bug has been assigned CVE-2014-8104.
+
+Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local>
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/ssl.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: openvpn/src/openvpn/ssl.c
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.c 2014-12-01 16:09:43.031080162 +0100
++++ openvpn/src/openvpn/ssl.c 2014-12-01 16:09:43.027080161 +0100
+@@ -2028,7 +2028,11 @@
+ ASSERT (session->opt->key_method == 2);
+
+ /* discard leading uint32 */
+- ASSERT (buf_advance (buf, 4));
++ if (!buf_advance (buf, 4)) {
++ msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
++ buf->len);
++ goto error;
++ }
+
+ /* get key method */
+ key_method_flags = buf_read_u8 (buf);
diff --git a/debian/patches/series b/debian/patches/series
index a6f52d3..4017a89 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ accommodate_typo.patch
manpage_fixes.patch
better_systemd_detection.patch
client_connect_tmp_files.patch
+0001-Drop-too-short-control-channel-packets-instead-of-as.patch