From 3637e1aa7ac62f0bba5e9a196e42f22cb93a498b Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Thu, 22 Jun 2017 18:00:56 +0200 Subject: Import Debian changes 2.4.0-6+deb9u1 openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high * SECURITY UPDATE: (Closes: #865480) - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a crash for invalid input data. - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. --- debian/changelog | 12 ++++++ debian/patches/CVE-2017-7508.patch | 57 +++++++++++++++++++++++++++ debian/patches/CVE-2017-7520.patch | 55 ++++++++++++++++++++++++++ debian/patches/CVE-2017-7521.patch | 48 +++++++++++++++++++++++ debian/patches/CVE-2017-7521bis.patch | 74 +++++++++++++++++++++++++++++++++++ debian/patches/series | 4 ++ 6 files changed, 250 insertions(+) create mode 100644 debian/patches/CVE-2017-7508.patch create mode 100644 debian/patches/CVE-2017-7520.patch create mode 100644 debian/patches/CVE-2017-7521.patch create mode 100644 debian/patches/CVE-2017-7521bis.patch diff --git a/debian/changelog b/debian/changelog index 3de80ab..0f96932 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high + + * SECURITY UPDATE: (Closes: #865480) + - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 + packet. + - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a + crash for invalid input data. + - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. + - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. + + -- Alberto Gonzalez Iniesta Thu, 22 Jun 2017 18:00:56 +0200 + openvpn (2.4.0-6) unstable; urgency=medium * Apply upstream patch to fix shrinking MTU sizes on reconnects causing not diff --git a/debian/patches/CVE-2017-7508.patch b/debian/patches/CVE-2017-7508.patch new file mode 100644 index 0000000..6ba80ac --- /dev/null +++ b/debian/patches/CVE-2017-7508.patch @@ -0,0 +1,57 @@ +commit ed28cde3d8bf3f1459b2f42f0e27d64801009f92 +Author: Gert Doering +Date: Tue Jun 13 22:08:32 2017 +0200 + + Fix remotely-triggerable ASSERT() on malformed IPv6 packet. + + Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(), + and change the ASSERT() check in mss_fixup_dowork() into a simple + "return" (= the TCP header will simply not be inspected further). + + CVE-2017-7508 has been assigned due to the serious nature of the + bug: it can be used to remotely shutdown an openvpn server or + client, if IPv6 and --mssfix are enabled and the IPv6 networks used + inside the VPN are known. + + Found by Guido Vranken . + + v2: style changes + + CVE: 2017-7508 + Signed-off-by: Gert Doering + Acked-by: Steffan Karger + Message-Id: <20170613200832.15027-1-gert@greenie.muc.de> + URL: https://www.mail-archive.com/search?l=mid&q=20170613200832.15027-1-gert@greenie.muc.de + Signed-off-by: Gert Doering + (cherry picked from commit c3f47077a7756de5929094569421a95aa66f2022) + +Index: openvpn-2.4.0/src/openvpn/mss.c +=================================================================== +--- openvpn-2.4.0.orig/src/openvpn/mss.c ++++ openvpn-2.4.0/src/openvpn/mss.c +@@ -120,8 +120,12 @@ mss_fixup_ipv6(struct buffer *buf, int m + return; + } + ++ /* skip IPv6 header (40 bytes), ++ * verify remainder is large enough to contain a full TCP header ++ */ + newbuf = *buf; +- if (buf_advance( &newbuf, 40 ) ) ++ if (buf_advance( &newbuf, 40 ) ++ && BLEN(&newbuf) >= (int) sizeof(struct openvpn_tcphdr)) + { + struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); + if (tc->flags & OPENVPN_TCPH_SYN_MASK) +@@ -145,7 +149,10 @@ mss_fixup_dowork(struct buffer *buf, uin + int accumulate; + struct openvpn_tcphdr *tc; + +- ASSERT(BLEN(buf) >= (int) sizeof(struct openvpn_tcphdr)); ++ if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr)) ++ { ++ return; ++ } + + verify_align_4(buf); + tc = (struct openvpn_tcphdr *) BPTR(buf); diff --git a/debian/patches/CVE-2017-7520.patch b/debian/patches/CVE-2017-7520.patch new file mode 100644 index 0000000..2152517 --- /dev/null +++ b/debian/patches/CVE-2017-7520.patch @@ -0,0 +1,55 @@ +commit 043fe327878eba75efa13794c9845f85c3c629f2 +Author: Guido Vranken +Date: Fri May 19 14:04:25 2017 +0200 + + Prevent two kinds of stack buffer OOB reads and a crash for invalid input data + + Pre-authentication remote crash/information disclosure for clients + + If clients use a HTTP proxy with NTLM authentication (i.e. + "--http-proxy [|'auto'|'auto-nct'] ntlm2"), + a man-in-the-middle attacker between the client and the proxy can + cause the client to crash or disclose at most 96 bytes of stack + memory. The disclosed stack memory is likely to contain the proxy + password. + + If the proxy password is not reused, this is unlikely to compromise + the security of the OpenVPN tunnel itself. Clients who do not use + the --http-proxy option with ntlm2 authentication are not affected. + + CVE: 2017-7520 + Signed-off-by: Guido Vranken + Acked-by: Gert Doering + Message-Id: + URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com + Signed-off-by: Gert Doering + (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77) + +Index: openvpn-2.4.0/src/openvpn/ntlm.c +=================================================================== +--- openvpn-2.4.0.orig/src/openvpn/ntlm.c ++++ openvpn-2.4.0/src/openvpn/ntlm.c +@@ -193,7 +193,7 @@ ntlm_phase_3(const struct http_proxy_inf + */ + + char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */ +- char buf2[128]; /* decoded reply from proxy */ ++ unsigned char buf2[128]; /* decoded reply from proxy */ + unsigned char phase3[464]; + + char md4_hash[MD4_DIGEST_LENGTH+5]; +@@ -299,7 +299,13 @@ ntlm_phase_3(const struct http_proxy_inf + tib_len = 96; + } + { +- char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ ++ char *tib_ptr; ++ int tib_pos = buf2[0x2c]; ++ if (tib_pos + tib_len > sizeof(buf2)) ++ { ++ return NULL; ++ } ++ tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */ + memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ + } + } diff --git a/debian/patches/CVE-2017-7521.patch b/debian/patches/CVE-2017-7521.patch new file mode 100644 index 0000000..574ab4b --- /dev/null +++ b/debian/patches/CVE-2017-7521.patch @@ -0,0 +1,48 @@ +commit 040084067119dd5a9e15eb3bcfc0079debaa3777 +Author: Steffan Karger +Date: Mon Jun 19 11:28:40 2017 +0200 + + Fix potential double-free in --x509-alt-username (CVE-2017-7521) + + We didn't check the return value of ASN1_STRING_to_UTF8() in + extract_x509_extension(). Ignoring such a failure could result in buf + being free'd twice. An error in ASN1_STRING_to_UTF8() can be caused + remotely if the peer can make the local process run out of memory. + + The problem can only be triggered for configurations that use the + --x509-alt-username option with an x509 extension (i.e. the option + parameter starts with "ext:"). + + This issue was discovered, analysed and reported to the OpenVPN team by + Guido Vranken. + + Extensive testing by Guido Vranken gives confidence that this function + is very unlikely to fail in real-world usage (using subjectAltName or + issuerAltName extensions) for other reasons than memory exhaustion. + + CVE: 2017-7521 + Signed-off-by: Steffan Karger + Acked-by: Gert Doering + Acked-by: David Sommerseth + Acked-by: Guido Vranken + Message-Id: <1497864520-12219-6-git-send-email-steffan.karger@fox-it.com> + URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-6-git-send-email-steffan.karger@fox-it.com + Signed-off-by: Gert Doering + (cherry picked from commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b) + +Index: openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c +=================================================================== +--- openvpn-2.4.0.orig/src/openvpn/ssl_verify_openssl.c ++++ openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c +@@ -142,7 +142,10 @@ extract_x509_extension(X509 *cert, char + switch (name->type) + { + case GEN_EMAIL: +- ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5); ++ if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0) ++ { ++ continue; ++ } + if (strlen(buf) != name->d.ia5->length) + { + msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero"); diff --git a/debian/patches/CVE-2017-7521bis.patch b/debian/patches/CVE-2017-7521bis.patch new file mode 100644 index 0000000..8f242f8 --- /dev/null +++ b/debian/patches/CVE-2017-7521bis.patch @@ -0,0 +1,74 @@ +commit 2341f716198fa90193e040b3fdb16959a47c6c27 +Author: Steffan Karger +Date: Mon Jun 19 11:28:38 2017 +0200 + + Fix remote-triggerable memory leaks (CVE-2017-7521) + + Several of our OpenSSL-specific certificate-parsing code paths did not + always clear all allocated memory. Since a client can cause a few bytes + of memory to be leaked for each connection attempt, a client can cause a + server to run out of memory and thereby kill the server. That makes this + a (quite inefficient) DoS attack. + + When using the --x509-alt-username option on openssl builds with an + extension (argument prefixed with "ext:", e.g. "ext:subjectAltName"), the + code would not free all allocated memory. Fix this by using the proper + free function. + + If ASN1_STRING_to_UTF8() returns 0, it didn't fail and *did* allocate + memory. So also free the returned buffer if it returns 0. + + These issues were found, analysed and reported to the OpenVPN team by Guido + Vranken. + + CVE: 2017-7521 + Signed-off-by: Steffan Karger + Acked-by: Gert Doering + Acked-by: David Sommerseth + Acked-by: Guido Vranken + Message-Id: <1497864520-12219-4-git-send-email-steffan.karger@fox-it.com> + URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-4-git-send-email-steffan.karger@fox-it.com + Signed-off-by: Gert Doering + (cherry picked from commit 2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d) + +Index: openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c +=================================================================== +--- openvpn-2.4.0.orig/src/openvpn/ssl_verify_openssl.c ++++ openvpn-2.4.0/src/openvpn/ssl_verify_openssl.c +@@ -165,7 +165,7 @@ extract_x509_extension(X509 *cert, char + break; + } + } +- sk_GENERAL_NAME_free(extensions); ++ GENERAL_NAMES_free(extensions); + } + return retval; + } +@@ -218,8 +218,7 @@ extract_x509_field_ssl(X509_NAME *x509, + { + return FAILURE; + } +- tmp = ASN1_STRING_to_UTF8(&buf, asn1); +- if (tmp <= 0) ++ if (ASN1_STRING_to_UTF8(&buf, asn1) < 0) + { + return FAILURE; + } +@@ -460,7 +459,7 @@ x509_setenv_track(const struct x509_trac + ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); + unsigned char *buf; + buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ +- if (ASN1_STRING_to_UTF8(&buf, val) > 0) ++ if (ASN1_STRING_to_UTF8(&buf, val) >= 0) + { + do_setenv_x509(es, xt->name, (char *)buf, depth); + OPENSSL_free(buf); +@@ -548,7 +547,7 @@ x509_setenv(struct env_set *es, int cert + continue; + } + buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ +- if (ASN1_STRING_to_UTF8(&buf, val) <= 0) ++ if (ASN1_STRING_to_UTF8(&buf, val) < 0) + { + continue; + } diff --git a/debian/patches/series b/debian/patches/series index 907dc15..a83cda1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,7 @@ CVE-2017-7479-prereq.patch CVE-2017-7479.patch wipe_tokens_on_de-auth.patch upstream-issue-879.patch +CVE-2017-7508.patch +CVE-2017-7520.patch +CVE-2017-7521.patch +CVE-2017-7521bis.patch -- cgit v1.2.3 From 4bf4d7a0fb651f3cae676fb982ad2149910432bd Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Tue, 18 Jul 2017 22:11:25 +0200 Subject: Fix broken reconnect on connection loss due to wrong push digest calculation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://community.openvpn.net/openvpn/ticket/812 Thanks: Patrick Matthäi for testing Closes: #863110 --- .../812-fix-push-options-digest-update.patch | 31 ++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 32 insertions(+) create mode 100644 debian/patches/812-fix-push-options-digest-update.patch diff --git a/debian/patches/812-fix-push-options-digest-update.patch b/debian/patches/812-fix-push-options-digest-update.patch new file mode 100644 index 0000000..f79a27c --- /dev/null +++ b/debian/patches/812-fix-push-options-digest-update.patch @@ -0,0 +1,31 @@ +From: Selva Nair +Date: Tue, 3 Jan 2017 16:42:18 -0500 +Subject: [PATCH] Fix push options digest update +Bug: https://community.openvpn.net/openvpn/ticket/812 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863110 + +Trac: #812 + +Signed-off-by: Selva Nair +Acked-by: Steffan Karger +Message-Id: <1483479738-17672-1-git-send-email-selva.nair@gmail.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13816.html +Signed-off-by: Gert Doering +--- + src/openvpn/push.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/openvpn/push.c b/src/openvpn/push.c +index f5154756a..c9c04a630 100644 +--- a/src/openvpn/push.c ++++ b/src/openvpn/push.c +@@ -692,8 +692,8 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) + { + continue; + } ++ md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1); + } +- md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1); + } + + int diff --git a/debian/patches/series b/debian/patches/series index a83cda1..4357c69 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -12,3 +12,4 @@ CVE-2017-7508.patch CVE-2017-7520.patch CVE-2017-7521.patch CVE-2017-7521bis.patch +812-fix-push-options-digest-update.patch -- cgit v1.2.3 From 678cfd249add7ca758e4c41933c7b730132c99f4 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Thu, 3 Aug 2017 11:12:30 +0200 Subject: Changelog for 2.4.0-6+deb9u2 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 0f96932..dd7f177 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openvpn (2.4.0-6+deb9u2) stretch; urgency=medium + + * Fix broken reconnect on connection loss due to wrong push digest calculation. + Thanks to Patrick Matthäi for testing (Closes: #863110) + + -- Bernhard Schmidt Tue, 18 Jul 2017 22:15:17 +0200 + openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high * SECURITY UPDATE: (Closes: #865480) -- cgit v1.2.3