summaryrefslogtreecommitdiff
path: root/debian/patches/CVE-2017-7520.patch
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff-webhosting.net>2017-10-02 07:00:36 +0200
committerJörg Frings-Fürst <debian@jff-webhosting.net>2017-10-02 07:00:36 +0200
commit3804bc2606a92e2f2f4b3a2b043af0d77d92b386 (patch)
treead5df7aa0b975693a09335d296ee56457ef6076e /debian/patches/CVE-2017-7520.patch
parent749384a154025e268b53cf3cc79eaeddde2b3ceb (diff)
parent678cfd249add7ca758e4c41933c7b730132c99f4 (diff)
Merge branch 'stretch' of ssh://git.debian.org/git/collab-maint/openvpn into stretchstretch
Diffstat (limited to 'debian/patches/CVE-2017-7520.patch')
-rw-r--r--debian/patches/CVE-2017-7520.patch55
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/patches/CVE-2017-7520.patch b/debian/patches/CVE-2017-7520.patch
new file mode 100644
index 0000000..2152517
--- /dev/null
+++ b/debian/patches/CVE-2017-7520.patch
@@ -0,0 +1,55 @@
+commit 043fe327878eba75efa13794c9845f85c3c629f2
+Author: Guido Vranken <guidovranken@gmail.com>
+Date: Fri May 19 14:04:25 2017 +0200
+
+ Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
+
+ Pre-authentication remote crash/information disclosure for clients
+
+ If clients use a HTTP proxy with NTLM authentication (i.e.
+ "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
+ a man-in-the-middle attacker between the client and the proxy can
+ cause the client to crash or disclose at most 96 bytes of stack
+ memory. The disclosed stack memory is likely to contain the proxy
+ password.
+
+ If the proxy password is not reused, this is unlikely to compromise
+ the security of the OpenVPN tunnel itself. Clients who do not use
+ the --http-proxy option with ntlm2 authentication are not affected.
+
+ CVE: 2017-7520
+ Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+ Acked-by: Gert Doering <gert@greenie.muc.de>
+ Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
+ URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com
+ Signed-off-by: Gert Doering <gert@greenie.muc.de>
+ (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
+
+Index: openvpn-2.4.0/src/openvpn/ntlm.c
+===================================================================
+--- openvpn-2.4.0.orig/src/openvpn/ntlm.c
++++ openvpn-2.4.0/src/openvpn/ntlm.c
+@@ -193,7 +193,7 @@ ntlm_phase_3(const struct http_proxy_inf
+ */
+
+ char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
+- char buf2[128]; /* decoded reply from proxy */
++ unsigned char buf2[128]; /* decoded reply from proxy */
+ unsigned char phase3[464];
+
+ char md4_hash[MD4_DIGEST_LENGTH+5];
+@@ -299,7 +299,13 @@ ntlm_phase_3(const struct http_proxy_inf
+ tib_len = 96;
+ }
+ {
+- char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */
++ char *tib_ptr;
++ int tib_pos = buf2[0x2c];
++ if (tib_pos + tib_len > sizeof(buf2))
++ {
++ return NULL;
++ }
++ tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */
+ memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */
+ }
+ }