Import Debian changes 2.4.0-6+deb9u1debian/2.4.0-6+deb9u1

openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high

   * SECURITY UPDATE: (Closes: #865480)
     - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6
       packet.
     - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a
       crash for invalid input data.
     - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username.
     - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks.

1 files changed, 55 insertions, 0 deletions

diff --git a/debian/patches/CVE-2017-7520.patch b/debian/patches/CVE-2017-7520.patch
new file mode 100644
index 0000000..2152517
--- /dev/null
+++ b/debian/patches/CVE-2017-7520.patch
@@ -0,0 +1,55 @@
+commit 043fe327878eba75efa13794c9845f85c3c629f2
+Author: Guido Vranken <guidovranken@gmail.com>
+Date:   Fri May 19 14:04:25 2017 +0200
+
+    Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
+    
+    Pre-authentication remote crash/information disclosure for clients
+    
+    If clients use a HTTP proxy with NTLM authentication (i.e.
+    "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
+    a man-in-the-middle attacker between the client and the proxy can
+    cause the client to crash or disclose at most 96 bytes of stack
+    memory. The disclosed stack memory is likely to contain the proxy
+    password.
+    
+    If the proxy password is not reused, this is unlikely to compromise
+    the security of the OpenVPN tunnel itself.  Clients who do not use
+    the --http-proxy option with ntlm2 authentication are not affected.
+    
+    CVE: 2017-7520
+    Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+    Acked-by: Gert Doering <gert@greenie.muc.de>
+    Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
+    URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com
+    Signed-off-by: Gert Doering <gert@greenie.muc.de>
+    (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
+
+Index: openvpn-2.4.0/src/openvpn/ntlm.c
+===================================================================
+--- openvpn-2.4.0.orig/src/openvpn/ntlm.c
++++ openvpn-2.4.0/src/openvpn/ntlm.c
+@@ -193,7 +193,7 @@ ntlm_phase_3(const struct http_proxy_inf
+      */
+ 
+     char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
+-    char buf2[128]; /* decoded reply from proxy */
++    unsigned char buf2[128]; /* decoded reply from proxy */
+     unsigned char phase3[464];
+ 
+     char md4_hash[MD4_DIGEST_LENGTH+5];
+@@ -299,7 +299,13 @@ ntlm_phase_3(const struct http_proxy_inf
+                 tib_len = 96;
+             }
+             {
+-                char *tib_ptr = buf2 + buf2[0x2c];           /* Get Target Information block pointer */
++                char *tib_ptr;
++                int tib_pos = buf2[0x2c];
++                if (tib_pos + tib_len > sizeof(buf2))
++                {
++                    return NULL;
++                }
++                tib_ptr = buf2 + tib_pos;                               /* Get Target Information block pointer */
+                 memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len);           /* Copy Target Information block into the blob */
+             }
+         }