[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of openvpn?

On Thu, Jun 22, 2017 at 11:16:04AM +0200, Raphael Hertzog wrote:
> Hello Alberto,
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of openvpn:
> https://security-tracker.debian.org/tracker/CVE-2017-7508
> https://security-tracker.debian.org/tracker/CVE-2017-7520
> https://security-tracker.debian.org/tracker/CVE-2017-7521
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.

Hi,

Yep, the workflow seems a bit messy for an overworked newcomer. Please
find attached the corresponding debdiff. I have tested the resulting
package in one of my servers (not that many wheezy around these days)
and seems to work fine.

Thanks,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

diff -Nru openvpn-2.2.1/debian/changelog openvpn-2.2.1/debian/changelog
--- openvpn-2.2.1/debian/changelog	2017-05-12 15:39:52.000000000 +0200
+++ openvpn-2.2.1/debian/changelog	2017-06-22 18:58:30.000000000 +0200
@@ -1,3 +1,11 @@
+openvpn (2.2.1-8+deb7u5) wheezy-security; urgency=low
+
+  * The "Bye bye OpenVPN" release.
+  * patches/CVE-2017-7520.patch: Prevent two kinds of stack buffer OOB reads
+    and a crash for invalid input data. (CVE-2017-7520)
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org>  Thu, 22 Jun 2017 18:53:39 +0200
+
 openvpn (2.2.1-8+deb7u4) wheezy-security; urgency=medium
 
   * Non-maintainer upload by the Debian LTS team.
diff -Nru openvpn-2.2.1/debian/patches/CVE-2017-7520.patch openvpn-2.2.1/debian/patches/CVE-2017-7520.patch
--- openvpn-2.2.1/debian/patches/CVE-2017-7520.patch	1970-01-01 01:00:00.000000000 +0100
+++ openvpn-2.2.1/debian/patches/CVE-2017-7520.patch	2017-06-22 18:56:54.000000000 +0200
@@ -0,0 +1,56 @@
+commit 4bec9d25d519a56bc40458e947d3dfa964b82b13
+Author: Guido Vranken <guidovranken@gmail.com>
+Date:   Fri May 19 14:04:25 2017 +0200
+
+    Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
+    
+    Pre-authentication remote crash/information disclosure for clients
+    
+    If clients use a HTTP proxy with NTLM authentication (i.e.
+    "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"),
+    a man-in-the-middle attacker between the client and the proxy can
+    cause the client to crash or disclose at most 96 bytes of stack
+    memory. The disclosed stack memory is likely to contain the proxy
+    password.
+    
+    If the proxy password is not reused, this is unlikely to compromise
+    the security of the OpenVPN tunnel itself.  Clients who do not use
+    the --http-proxy option with ntlm2 authentication are not affected.
+    
+    CVE: 2017-7520
+    Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+    Acked-by: Gert Doering <gert@greenie.muc.de>
+    Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com>
+    URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com
+    Signed-off-by: Gert Doering <gert@greenie.muc.de>
+    (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77)
+    (cherry picked from commit f38a4a105979b87ebebe9be1c3d323116d3fb924)
+
+Index: openvpn-2.2.1/ntlm.c
+===================================================================
+--- openvpn-2.2.1.orig/ntlm.c	2011-06-24 08:13:39.000000000 +0200
++++ openvpn-2.2.1/ntlm.c	2017-06-22 18:56:50.624960031 +0200
+@@ -190,7 +190,7 @@
+ 	 */
+ 	
+   char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */
+-  char buf2[128]; /* decoded reply from proxy */
++  unsigned char buf2[128]; /* decoded reply from proxy */
+   unsigned char phase3[464];
+ 
+   char md4_hash[21];
+@@ -281,7 +281,13 @@
+ 			tib_len = buf2[0x28];/* Get Target Information block size */
+ 			if (tib_len > 96) tib_len = 96;
+ 			{
+-			  char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */
++			  char *tib_ptr;
++			  int tib_pos = buf2[0x2c];
++			  if (tib_pos + tib_len > sizeof(buf2))
++			    {
++			      return NULL;
++			    }
++			  tib_ptr = buf2 + tib_pos;			/* Get Target Information block pointer */
+ 			  memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */
+ 			}
+ 		} else {
diff -Nru openvpn-2.2.1/debian/patches/series openvpn-2.2.1/debian/patches/series
--- openvpn-2.2.1/debian/patches/series	2017-05-12 15:39:38.000000000 +0200
+++ openvpn-2.2.1/debian/patches/series	2017-06-22 18:56:45.000000000 +0200
@@ -15,3 +15,4 @@
 update_sample_certs.patch
 CVE-2017-7479_1.patch
 CVE-2017-7479_2.patch
+CVE-2017-7520.patch
Reply to: