From c7528a75539f46a1b23d8c32ec83952fe095ae52 Mon Sep 17 00:00:00 2001
From: Bernhard Schmidt <berni@debian.org>
Date: Wed, 28 Apr 2021 16:47:06 +0200
Subject: Cherry-Pick upstream patches for CVE-2020-11810 and CVE-2020-15078

Closes: #987380
---
 debian/patches/CVE-2020-11810.patch | 65 +++++++++++++++++++++++++++++++++++++
 debian/patches/CVE-2020-15078.patch | 37 +++++++++++++++++++++
 debian/patches/series               |  2 ++
 3 files changed, 104 insertions(+)
 create mode 100644 debian/patches/CVE-2020-11810.patch
 create mode 100644 debian/patches/CVE-2020-15078.patch

(limited to 'debian')

diff --git a/debian/patches/CVE-2020-11810.patch b/debian/patches/CVE-2020-11810.patch
new file mode 100644
index 0000000..466cf0c
--- /dev/null
+++ b/debian/patches/CVE-2020-11810.patch
@@ -0,0 +1,65 @@
+From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
+From: Lev Stipakov <lev@openvpn.net>
+Date: Wed, 15 Apr 2020 10:30:17 +0300
+Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
+
+There is a time frame between allocating peer-id and initializing data
+channel key (which is performed on receiving push request or on async
+push-reply) in which the existing peer-id float checks do not work right.
+
+If a "rogue" data channel packet arrives during that time frame from
+another address and  with same peer-id, this would cause client to float
+to that new address. This is because:
+
+ - tls_pre_decrypt() sets packet length to zero if
+   data channel key has not been initialized, which leads to
+
+ - openvpn_decrypt() returns true if packet length is zero,
+   which leads to
+
+ - process_incoming_link_part1() returns true, which
+   calls multi_process_float(), which commits float
+
+Note that problem doesn't happen when data channel key is initialized,
+since in this case openvpn_decrypt() returns false.
+
+The net effect of this behaviour is that the VPN session for the
+"victim client" is broken.  Since the "attacker client" does not have
+suitable keys, it can not inject or steal VPN traffic from the other
+session.  The time window is small and it can not be used to attack
+a specific client's session, unless some other way is found to make it
+disconnect and reconnect first.
+
+CVE-2020-11810 has been assigned to acknowledge this risk.
+
+Fix illegal float by adding buffer length check ("is this packet still
+considered valid") before calling multi_process_float().
+
+Trac: #1272
+CVE: 2020-11810
+
+Signed-off-by: Lev Stipakov <lev@openvpn.net>
+Acked-by: Arne Schwabe <arne@rfc2549.org>
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/multi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
+index b42bcec97..056e3dc76 100644
+--- a/src/openvpn/multi.c
++++ b/src/openvpn/multi.c
+@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
+             orig_buf = c->c2.buf.data;
+             if (process_incoming_link_part1(c, lsi, floated))
+             {
+-                if (floated)
++                /* nonzero length means that we have a valid, decrypted packed */
++                if (floated && c->c2.buf.len > 0)
+                 {
+                     multi_process_float(m, m->pending);
+                 }
diff --git a/debian/patches/CVE-2020-15078.patch b/debian/patches/CVE-2020-15078.patch
new file mode 100644
index 0000000..b3b9613
--- /dev/null
+++ b/debian/patches/CVE-2020-15078.patch
@@ -0,0 +1,37 @@
+From 0e5516a9d656ce86f7fb370c824344ea1760c255 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Tue, 6 Apr 2021 00:05:21 +0200
+Subject: [PATCH] Ensure key state is authenticated before sending push reply
+
+This ensures that the key state is authenticated when sending
+a push reply.
+---
+ src/openvpn/push.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/push.c b/src/openvpn/push.c
+index 002be2332..52c6e8200 100644
+--- a/src/openvpn/push.c
++++ b/src/openvpn/push.c
+@@ -652,6 +652,7 @@ int
+ process_incoming_push_request(struct context *c)
+ {
+     int ret = PUSH_MSG_ERROR;
++    struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
+ 
+ #ifdef ENABLE_ASYNC_PUSH
+     c->c2.push_request_received = true;
+@@ -662,7 +663,12 @@ process_incoming_push_request(struct context *c)
+         send_auth_failed(c, client_reason);
+         ret = PUSH_MSG_AUTH_FAILURE;
+     }
+-    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
++    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
++             && ks->authenticated
++ #ifdef ENABLE_DEF_AUTH
++             && !ks->auth_deferred
++ #endif
++             )
+     {
+         time_t now;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 8b19c3d..5ce43a5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,5 @@ match-manpage-and-command-help.patch
 spelling_errors.patch
 systemd.patch
 fix-pkcs11-helper-hang.patch
+CVE-2020-11810.patch
+CVE-2020-15078.patch
-- 
cgit v1.2.3