openvpn update in Squeeze
Hi (again) SRM,
I also have an update for OpenVPN, fixing CVE-2013-2061 (#707329) in Squeeze.
Please find attached the corresponding debdiff.
Thanks,
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru openvpn-2.1.3/debian/changelog openvpn-2.1.3/debian/changelog
--- openvpn-2.1.3/debian/changelog 2012-02-20 17:33:19.000000000 +0000
+++ openvpn-2.1.3/debian/changelog 2013-06-04 10:22:55.000000000 +0000
@@ -1,3 +1,10 @@
+openvpn (2.1.3-2+squeeze2) squeeze; urgency=low
+
+ * Applied upstream patch to fix use of non-constant-time memcmp
+ in HMAC comparison. CVE-2013-2061. (Closes: #707329)
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 17 May 2013 11:16:48 +0000
+
openvpn (2.1.3-2+squeeze1) stable; urgency=low
* Applied Robert Millan's patch to fix /sbin/route calls on kfreebsd.
diff -Nru openvpn-2.1.3/debian/patches/cve-2013-2061.patch openvpn-2.1.3/debian/patches/cve-2013-2061.patch
--- openvpn-2.1.3/debian/patches/cve-2013-2061.patch 1970-01-01 00:00:00.000000000 +0000
+++ openvpn-2.1.3/debian/patches/cve-2013-2061.patch 2013-05-17 11:20:40.000000000 +0000
@@ -0,0 +1,64 @@
+Index: openvpn-2.1.3/buffer.h
+===================================================================
+--- openvpn-2.1.3.orig/buffer.h 2013-05-17 11:20:23.568781204 +0000
++++ openvpn-2.1.3/buffer.h 2013-05-17 11:20:34.764836709 +0000
+@@ -621,6 +621,10 @@
+ }
+ }
+
++/**
++ * Compare src buffer contents with match.
++ * *NOT* constant time. Do not use when comparing HMACs.
++ */
+ static inline bool
+ buf_string_match (const struct buffer *src, const void *match, int size)
+ {
+@@ -629,6 +633,10 @@
+ return memcmp (BPTR (src), match, size) == 0;
+ }
+
++/**
++ * Compare first size bytes of src buffer contents with match.
++ * *NOT* constant time. Do not use when comparing HMACs.
++ */
+ static inline bool
+ buf_string_match_head (const struct buffer *src, const void *match, int size)
+ {
+Index: openvpn-2.1.3/crypto.c
+===================================================================
+--- openvpn-2.1.3.orig/crypto.c 2013-05-17 11:20:27.132798867 +0000
++++ openvpn-2.1.3/crypto.c 2013-05-17 11:20:34.764836709 +0000
+@@ -71,6 +71,24 @@
+ #define CRYPT_ERROR(format) \
+ do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
+
++/**
++ * As memcmp(), but constant-time.
++ * Returns 0 when data is equal, non-zero otherwise.
++ */
++static int
++memcmp_constant_time (const void *a, const void *b, size_t size) {
++ const uint8_t * a1 = a;
++ const uint8_t * b1 = b;
++ int ret = 0;
++ size_t i;
++
++ for (i = 0; i < size; i++) {
++ ret |= *a1++ ^ *b1++;
++ }
++
++ return ret;
++}
++
+ void
+ openvpn_encrypt (struct buffer *buf, struct buffer work,
+ const struct crypto_options *opt,
+@@ -255,7 +273,7 @@
+ ASSERT (hmac_len == in_hmac_len);
+
+ /* Compare locally computed HMAC with packet HMAC */
+- if (memcmp (local_hmac, BPTR (buf), hmac_len))
++ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
+ CRYPT_ERROR ("packet HMAC authentication failed");
+
+ ASSERT (buf_advance (buf, hmac_len));
diff -Nru openvpn-2.1.3/debian/patches/series openvpn-2.1.3/debian/patches/series
--- openvpn-2.1.3/debian/patches/series 2010-10-21 10:23:38.000000000 +0000
+++ openvpn-2.1.3/debian/patches/series 2013-05-17 11:20:17.000000000 +0000
@@ -11,3 +11,4 @@
route_default_nil.patch
client_hang_when_server_dont_push.patch
clean_netlist.patch
+cve-2013-2061.patch
Reply to: