summaryrefslogtreecommitdiff
path: root/debian/patches/CVE-2017-7520.patch
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 18:00:56 +0200
committerBernhard Schmidt <berni@debian.org>2017-06-29 21:26:15 +0200
commit3637e1aa7ac62f0bba5e9a196e42f22cb93a498b (patch)
treef5d7f0d119dc6cf7bc09152b7d66ea7592b432ea /debian/patches/CVE-2017-7520.patch
parentd73f7253d939e293abf9e27b4b7f37df1ec12a39 (diff)
Import Debian changes 2.4.0-6+deb9u1debian/2.4.0-6+deb9u1
openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high * SECURITY UPDATE: (Closes: #865480) - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a crash for invalid input data. - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks.
Diffstat (limited to 'debian/patches/CVE-2017-7520.patch')
-rw-r--r--debian/patches/CVE-2017-7520.patch55
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/patches/CVE-2017-7520.patch b/debian/patches/CVE-2017-7520.patch
new file mode 100644
index 0000000..2152517
--- /dev/null
+++ b/debian/patches/CVE-2017-7520.patch
@@ -0,0 +1,55 @@
+commit 043fe327878eba75efa13794c9845f85c3c629f2
+Author: Guido Vranken <guidovranken@gmail.com>
+Date: Fri May 19 14:04:25 2017 +0200
+
+ Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
+
+ Pre-authentication remote crash/information disclosure for clients
+
+ If clients use a HTTP proxy with NTLM authentication (i.e.
+ "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
+ a man-in-the-middle attacker between the client and the proxy can
+ cause the client to crash or disclose at most 96 bytes of stack
+ memory. The disclosed stack memory is likely to contain the proxy
+ password.
+
+ If the proxy password is not reused, this is unlikely to compromise
+ the security of the OpenVPN tunnel itself. Clients who do not use
+ the --http-proxy option with ntlm2 authentication are not affected.
+
+ CVE: 2017-7520
+ Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+ Acked-by: Gert Doering <gert@greenie.muc.de>
+ Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
+ URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com
+ Signed-off-by: Gert Doering <gert@greenie.muc.de>
+ (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
+
+Index: openvpn-2.4.0/src/openvpn/ntlm.c
+===================================================================
+--- openvpn-2.4.0.orig/src/openvpn/ntlm.c
++++ openvpn-2.4.0/src/openvpn/ntlm.c
+@@ -193,7 +193,7 @@ ntlm_phase_3(const struct http_proxy_inf
+ */
+
+ char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
+- char buf2[128]; /* decoded reply from proxy */
++ unsigned char buf2[128]; /* decoded reply from proxy */
+ unsigned char phase3[464];
+
+ char md4_hash[MD4_DIGEST_LENGTH+5];
+@@ -299,7 +299,13 @@ ntlm_phase_3(const struct http_proxy_inf
+ tib_len = 96;
+ }
+ {
+- char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */
++ char *tib_ptr;
++ int tib_pos = buf2[0x2c];
++ if (tib_pos + tib_len > sizeof(buf2))
++ {
++ return NULL;
++ }
++ tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */
+ memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */
+ }
+ }