summaryrefslogtreecommitdiff
path: root/debian/patches/CVE-2017-7478.patch
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 13:19:58 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 13:19:58 +0200
commit3505b0888ab94c90468bd6f41f82770d46677342 (patch)
treea937d2b6832d4291b181bd1f89da3c148c254ae0 /debian/patches/CVE-2017-7478.patch
parent766cdd4b4d1fcb31addf6727dbcfd3d99e390456 (diff)
Refresh patches for 2.4.3
Diffstat (limited to 'debian/patches/CVE-2017-7478.patch')
-rw-r--r--debian/patches/CVE-2017-7478.patch55
1 files changed, 0 insertions, 55 deletions
diff --git a/debian/patches/CVE-2017-7478.patch b/debian/patches/CVE-2017-7478.patch
deleted file mode 100644
index e301cf1..0000000
--- a/debian/patches/CVE-2017-7478.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From be66408610a52f81c9c895a8973958ead55a4e57 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan.karger@fox-it.com>
-Date: Tue, 9 May 2017 15:40:25 +0300
-Subject: [PATCH] Don't assert out on receiving too-large control packets
- (CVE-2017-xxx)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit 3c1b19e0 changed the maximum size of accepted control channel
-packets. This was needed for crypto negotiation (which is needed for a
-nice transition to a new default cipher), but exposed a DoS
-vulnerability. The vulnerability was found during the OpenVPN 2.4 code
-audit by Quarkslab (commisioned by OSTIF).
-
-To fix the issue, we should not ASSERT() on external input (in this case
-the received packet size), but instead gracefully error out and drop the
-invalid packet.
-
-Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
-Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
-
-CVE-2017-7478
-
- Security
- --------
- - This release fixes a pre-authentication denial-of-service attack on both
- clients and servers. By sending a too-large control packet, OpenVPN 2.4.0 or
- 2.4.1 can be forced to hit an ASSERT() and stop the process. If
- ``--tls-auth`` or ``--tls-crypt`` is used, only attackers that have the
- ``--tls-auth`` or ``--tls-crypt`` key can mount an attack. (CVE-2017-xxx)
-
----
- Changes.rst | 8 ++++++++
- src/openvpn/ssl.c | 7 ++++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
-
-Index: openvpn-2.4.0/src/openvpn/ssl.c
-===================================================================
---- openvpn-2.4.0.orig/src/openvpn/ssl.c
-+++ openvpn-2.4.0/src/openvpn/ssl.c
-@@ -3708,7 +3708,12 @@ tls_pre_decrypt(struct tls_multi *multi,
- /* Save incoming ciphertext packet to reliable buffer */
- struct buffer *in = reliable_get_buf(ks->rec_reliable);
- ASSERT(in);
-- ASSERT(buf_copy(in, buf));
-+ if(!buf_copy(in, buf))
-+ {
-+ msg(D_MULTI_DROPPED,
-+ "Incoming control channel packet too big, dropping.");
-+ goto error;
-+ }
- reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
- }
-