diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2017-06-22 17:25:13 +0200 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2017-06-29 22:05:44 +0200 |
commit | 3e3e9b32519a38f9316986b877163d37557b4f70 (patch) | |
tree | 9ee9a4a6f2813fe4ce4623bab80d6a6c30660854 /debian/patches/CVE-2017-7520.patch | |
parent | afc11370be9fd149ab361ca183c9715777b50df0 (diff) |
Import Debian changes 2.3.4-5+deb8u2debian/2.3.4-5+deb8u2
openvpn (2.3.4-5+deb8u2) jessie-security; urgency=high
* SECURITY UPDATE: authenticated remote DoS vulnerability due to
packet ID rollover. CVE-2017-7479.
Kudos to Steve Beattie <sbeattie@ubuntu.com> for doing all the backporting
work for this patch.
- debian/patches/CVE-2017-7479-prereq.patch: merge
packet_id_alloc_outgoing() into packet_id_write()
- debian/patches/CVE-2017-7479.patch: do not assert when packet ID
rollover occurs
* SECURITY UPDATE: (Closes: #865480)
- CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6
packet.
- CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a
crash for invalid input data.
- CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username.
- CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks.
Diffstat (limited to 'debian/patches/CVE-2017-7520.patch')
-rw-r--r-- | debian/patches/CVE-2017-7520.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/patches/CVE-2017-7520.patch b/debian/patches/CVE-2017-7520.patch new file mode 100644 index 0000000..e74cec0 --- /dev/null +++ b/debian/patches/CVE-2017-7520.patch @@ -0,0 +1,55 @@ +commit f38a4a105979b87ebebe9be1c3d323116d3fb924 +Author: Guido Vranken <guidovranken@gmail.com> +Date: Fri May 19 14:04:25 2017 +0200 + + Prevent two kinds of stack buffer OOB reads and a crash for invalid input data + + Pre-authentication remote crash/information disclosure for clients + + If clients use a HTTP proxy with NTLM authentication (i.e. + "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"), + a man-in-the-middle attacker between the client and the proxy can + cause the client to crash or disclose at most 96 bytes of stack + memory. The disclosed stack memory is likely to contain the proxy + password. + + If the proxy password is not reused, this is unlikely to compromise + the security of the OpenVPN tunnel itself. Clients who do not use + the --http-proxy option with ntlm2 authentication are not affected. + + CVE: 2017-7520 + Signed-off-by: Guido Vranken <guidovranken@gmail.com> + Acked-by: Gert Doering <gert@greenie.muc.de> + Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com> + URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com + Signed-off-by: Gert Doering <gert@greenie.muc.de> + (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77) + +Index: openvpn-2.3.4/src/openvpn/ntlm.c +=================================================================== +--- openvpn-2.3.4.orig/src/openvpn/ntlm.c ++++ openvpn-2.3.4/src/openvpn/ntlm.c +@@ -193,7 +193,7 @@ ntlm_phase_3 (const struct http_proxy_in + */ + + char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */ +- char buf2[128]; /* decoded reply from proxy */ ++ unsigned char buf2[128]; /* decoded reply from proxy */ + unsigned char phase3[464]; + + char md4_hash[MD4_DIGEST_LENGTH+5]; +@@ -282,7 +282,13 @@ ntlm_phase_3 (const struct http_proxy_in + tib_len = buf2[0x28];/* Get Target Information block size */ + if (tib_len > 96) tib_len = 96; + { +- char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ ++ char *tib_ptr; ++ int tib_pos = buf2[0x2c]; ++ if (tib_pos + tib_len > sizeof(buf2)) ++ { ++ return NULL; ++ } ++ tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */ + memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ + } + } else { |