diff options
Diffstat (limited to 'debian/patches/CVE-2017-7478.patch')
| -rw-r--r-- | debian/patches/CVE-2017-7478.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/debian/patches/CVE-2017-7478.patch b/debian/patches/CVE-2017-7478.patch deleted file mode 100644 index e301cf1..0000000 --- a/debian/patches/CVE-2017-7478.patch +++ /dev/null @@ -1,55 +0,0 @@ -From be66408610a52f81c9c895a8973958ead55a4e57 Mon Sep 17 00:00:00 2001 -From: Steffan Karger <steffan.karger@fox-it.com> -Date: Tue, 9 May 2017 15:40:25 +0300 -Subject: [PATCH] Don't assert out on receiving too-large control packets - (CVE-2017-xxx) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit 3c1b19e0 changed the maximum size of accepted control channel -packets. This was needed for crypto negotiation (which is needed for a -nice transition to a new default cipher), but exposed a DoS -vulnerability. The vulnerability was found during the OpenVPN 2.4 code -audit by Quarkslab (commisioned by OSTIF). - -To fix the issue, we should not ASSERT() on external input (in this case -the received packet size), but instead gracefully error out and drop the -invalid packet. - -Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> -Signed-off-by: Samuli Seppänen <samuli@openvpn.net> - -CVE-2017-7478 - - Security - -------- - - This release fixes a pre-authentication denial-of-service attack on both - clients and servers. By sending a too-large control packet, OpenVPN 2.4.0 or - 2.4.1 can be forced to hit an ASSERT() and stop the process. If - ``--tls-auth`` or ``--tls-crypt`` is used, only attackers that have the - ``--tls-auth`` or ``--tls-crypt`` key can mount an attack. (CVE-2017-xxx) - ---- - Changes.rst | 8 ++++++++ - src/openvpn/ssl.c | 7 ++++++- - 2 files changed, 14 insertions(+), 1 deletion(-) - -Index: openvpn-2.4.0/src/openvpn/ssl.c -=================================================================== ---- openvpn-2.4.0.orig/src/openvpn/ssl.c -+++ openvpn-2.4.0/src/openvpn/ssl.c -@@ -3708,7 +3708,12 @@ tls_pre_decrypt(struct tls_multi *multi, - /* Save incoming ciphertext packet to reliable buffer */ - struct buffer *in = reliable_get_buf(ks->rec_reliable); - ASSERT(in); -- ASSERT(buf_copy(in, buf)); -+ if(!buf_copy(in, buf)) -+ { -+ msg(D_MULTI_DROPPED, -+ "Incoming control channel packet too big, dropping."); -+ goto error; -+ } - reliable_mark_active_incoming(ks->rec_reliable, in, id, op); - } - |