From 7516ea48779dc04ae38d4727daccafad250c6277 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Mon, 1 Dec 2014 16:12:18 +0100 Subject: Apply upstream patch to fix CVE-2014-8104 --- debian/changelog | 7 ++++ ...ort-control-channel-packets-instead-of-as.patch | 42 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 50 insertions(+) create mode 100644 debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch diff --git a/debian/changelog b/debian/changelog index a51dc57..7c0068e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openvpn (2.3.4-5) unstable; urgency=high + + * Apply upstream patch that fixes possible DoS by authenticated + clients. CVE-2014-8104 + + -- Alberto Gonzalez Iniesta Mon, 01 Dec 2014 16:10:37 +0100 + openvpn (2.3.4-4) unstable; urgency=medium * Use dh-systemd in order to enable the service unit. diff --git a/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch b/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch new file mode 100644 index 0000000..0c80ee0 --- /dev/null +++ b/debian/patches/0001-Drop-too-short-control-channel-packets-instead-of-as.patch @@ -0,0 +1,42 @@ +From c5590a6821e37f3b29735f55eb0c2b9c0924138c Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Thu, 20 Nov 2014 13:43:05 +0100 +Subject: [PATCH] Drop too-short control channel packets instead of asserting + out. + +This fixes a denial-of-service vulnerability where an authenticated client +could stop the server by triggering a server-side ASSERT(). + +OpenVPN would previously ASSERT() that control channel packets have a +payload of at least 4 bytes. An authenticated client could trigger this +assert by sending a too-short control channel packet to the server. + +Thanks to Dragana Damjanovic for reporting the issue. + +This bug has been assigned CVE-2014-8104. + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local> +Signed-off-by: Gert Doering +--- + src/openvpn/ssl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: openvpn/src/openvpn/ssl.c +=================================================================== +--- openvpn.orig/src/openvpn/ssl.c 2014-12-01 16:09:43.031080162 +0100 ++++ openvpn/src/openvpn/ssl.c 2014-12-01 16:09:43.027080161 +0100 +@@ -2028,7 +2028,11 @@ + ASSERT (session->opt->key_method == 2); + + /* discard leading uint32 */ +- ASSERT (buf_advance (buf, 4)); ++ if (!buf_advance (buf, 4)) { ++ msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", ++ buf->len); ++ goto error; ++ } + + /* get key method */ + key_method_flags = buf_read_u8 (buf); diff --git a/debian/patches/series b/debian/patches/series index a6f52d3..4017a89 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ accommodate_typo.patch manpage_fixes.patch better_systemd_detection.patch client_connect_tmp_files.patch +0001-Drop-too-short-control-channel-packets-instead-of-as.patch -- cgit v1.2.3