debian/patches/CVE-2017-7521.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

commit 1dde0cd6e5e6a0f2f45ec9969b7ff1b6537514ad
Author: Steffan Karger <steffan.karger@fox-it.com>
Date:   Mon Jun 19 11:28:40 2017 +0200

    Fix potential double-free in --x509-alt-username (CVE-2017-7521)
    
    We didn't check the return value of ASN1_STRING_to_UTF8() in
    extract_x509_extension().  Ignoring such a failure could result in buf
    being free'd twice.  An error in ASN1_STRING_to_UTF8() can be caused
    remotely if the peer can make the local process run out of memory.
    
    The problem can only be triggered for configurations that use the
    --x509-alt-username option with an x509 extension (i.e. the option
    parameter starts with "ext:").
    
    This issue was discovered, analysed and reported to the OpenVPN team by
    Guido Vranken.
    
    Extensive testing by Guido Vranken gives confidence that this function
    is very unlikely to fail in real-world usage (using subjectAltName or
    issuerAltName extensions) for other reasons than memory exhaustion.
    
    CVE: 2017-7521
    Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: David Sommerseth <davids@openvpn.net>
    Acked-by: Guido Vranken <guidovranken@gmail.com>
    Message-Id: <1497864520-12219-6-git-send-email-steffan.karger@fox-it.com>
    URL: https://www.mail-archive.com/search?l=mid&q=1497864520-12219-6-git-send-email-steffan.karger@fox-it.com
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b)

Index: openvpn-2.3.4/src/openvpn/ssl_verify_openssl.c
===================================================================
--- openvpn-2.3.4.orig/src/openvpn/ssl_verify_openssl.c
+++ openvpn-2.3.4/src/openvpn/ssl_verify_openssl.c
@@ -124,7 +124,10 @@ bool extract_x509_extension(X509 *cert,
           switch (name->type)
             {
               case GEN_EMAIL:
-                ASN1_STRING_to_UTF8((unsigned char**)&buf, name->d.ia5);
+                if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0)
+                  {
+                    continue;
+                  }
                 if ( strlen (buf) != name->d.ia5->length )
                   {
                     msg (D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");