Import Debian changes 2.4.0-6+deb9u1debian/2.4.0-6+deb9u1

openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high

   * SECURITY UPDATE: (Closes: #865480)
     - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6
       packet.
     - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a
       crash for invalid input data.
     - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username.
     - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks.

1 files changed, 74 insertions, 0 deletions

diff --git a/debian/patches/CVE-2017-7521bis.patch b/debian/patches/CVE-2017-7521bis.patch
new file mode 100644
index 0000000..8f242f8
--- /dev/null
+++ b/debian/patches/CVE-2017-7521bis.patch
@@ -0,0 +1,74 @@
+commit 2341f716198fa90193e040b3fdb16959a47c6c27
+Author: Steffan Karger <steffan.karger@fox-it.com>
+Date:   Mon Jun 19 11:28:38 2017 +0200
+
+    Fix remote-triggerable memory leaks (CVE-2017-7521)
+    
+    Several of our OpenSSL-specific certificate-parsing code paths did not
+    always clear all allocated memory.  Since a client can cause a few bytes
+    of memory to be leaked for each connection attempt, a client can cause a
+    server to run out of memory and thereby kill the server.  That makes this
+    a (quite inefficient) DoS attack.
+    
+    When using the --x509-alt-username option on openssl builds with an
+    extension (argument prefixed with "ext:", e.g. "ext:subjectAltName"), the
+    code would not free all allocated memory.  Fix this by using the proper
+    free function.
+    
+    If ASN1_STRING_to_UTF8() returns 0, it didn't fail and *did* allocate
+    memory.  So also free the returned buffer if it returns 0.
+    
+    These issues were found, analysed and reported to the OpenVPN team by Guido
+    Vranken.
+    
+    CVE: 2017-7521
+    Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
+    Acked-by: Gert Doering <gert@greenie.muc.de>
+    Acked-by: David Sommerseth <davids@openvpn.net>
+    Acked-by: Guido Vranken <guidovranken@gmail.com>
+    Message-Id: <1497864520-12219-4-git-send-email-steffan.karger@fox-it.com>
+    URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-4-git-send-email-steffan.karger@fox-it.com
+    Signed-off-by: Gert Doering <gert@greenie.muc.de>
+    (cherry picked from commit 2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d)
+
+Index: openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c
+===================================================================
+--- openvpn-2.4.0.orig/src/openvpn/ssl_verify_openssl.c
++++ openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c
+@@ -165,7 +165,7 @@ extract_x509_extension(X509 *cert, char
+                     break;
+             }
+         }
+-        sk_GENERAL_NAME_free(extensions);
++        GENERAL_NAMES_free(extensions);
+     }
+     return retval;
+ }
+@@ -218,8 +218,7 @@ extract_x509_field_ssl(X509_NAME *x509,
+     {
+         return FAILURE;
+     }
+-    tmp = ASN1_STRING_to_UTF8(&buf, asn1);
+-    if (tmp <= 0)
++    if (ASN1_STRING_to_UTF8(&buf, asn1) < 0)
+     {
+         return FAILURE;
+     }
+@@ -460,7 +459,7 @@ x509_setenv_track(const struct x509_trac
+                             ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
+                             unsigned char *buf;
+                             buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+-                            if (ASN1_STRING_to_UTF8(&buf, val) > 0)
++                            if (ASN1_STRING_to_UTF8(&buf, val) >= 0)
+                             {
+                                 do_setenv_x509(es, xt->name, (char *)buf, depth);
+                                 OPENSSL_free(buf);
+@@ -548,7 +547,7 @@ x509_setenv(struct env_set *es, int cert
+             continue;
+         }
+         buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+-        if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
++        if (ASN1_STRING_to_UTF8(&buf, val) < 0)
+         {
+             continue;
+         }