[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987731: marked as done (buster-pu: package openvpn/2.4.7-1)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #987731,
regarding buster-pu: package openvpn/2.4.7-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987731: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987731
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to update openvpn in Buster fixing two no-dsa CVEs and one
performance issue.

CVE-2020-11810: No Debian Bug#, fixed upstream in 2.4.9
CVE-2020-15078: Bug#987380, cherry-picked for sid/bullseye in 2.5.1-2

TCP performance issue: Bug#968942, fixed upsteam in 2.4.8

Proposed debdiff attached.

Brnhard

diffstat for openvpn-2.4.7 openvpn-2.4.7

 changelog                          |    8 ++++
 patches/CVE-2020-11810.patch       |   65 +++++++++++++++++++++++++++++++++++++
 patches/CVE-2020-15078.patch       |   37 +++++++++++++++++++++
 patches/increase-tcp-backlog.patch |   43 ++++++++++++++++++++++++
 patches/series                     |    3 +
 5 files changed, 156 insertions(+)

diff -Nru openvpn-2.4.7/debian/changelog openvpn-2.4.7/debian/changelog
--- openvpn-2.4.7/debian/changelog	2019-02-20 14:50:03.000000000 +0100
+++ openvpn-2.4.7/debian/changelog	2021-04-28 16:48:07.000000000 +0200
@@ -1,3 +1,11 @@
+openvpn (2.4.7-1+deb10u1) buster; urgency=medium
+
+  * Cherry-Pick upstream patches for CVE-2020-11810 and CVE-2020-15078
+    (Closes: #987380)
+  * Cherry-Pick upstream fix to increase TCP socket backlog (Closes: #968942)
+
+ -- Bernhard Schmidt <berni@debian.org>  Wed, 28 Apr 2021 16:48:07 +0200
+
 openvpn (2.4.7-1) unstable; urgency=medium
 
   [ Bernhard Schmidt ]
diff -Nru openvpn-2.4.7/debian/patches/CVE-2020-11810.patch openvpn-2.4.7/debian/patches/CVE-2020-11810.patch
--- openvpn-2.4.7/debian/patches/CVE-2020-11810.patch	1970-01-01 01:00:00.000000000 +0100
+++ openvpn-2.4.7/debian/patches/CVE-2020-11810.patch	2021-04-28 16:48:07.000000000 +0200
@@ -0,0 +1,65 @@
+From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
+From: Lev Stipakov <lev@openvpn.net>
+Date: Wed, 15 Apr 2020 10:30:17 +0300
+Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
+
+There is a time frame between allocating peer-id and initializing data
+channel key (which is performed on receiving push request or on async
+push-reply) in which the existing peer-id float checks do not work right.
+
+If a "rogue" data channel packet arrives during that time frame from
+another address and  with same peer-id, this would cause client to float
+to that new address. This is because:
+
+ - tls_pre_decrypt() sets packet length to zero if
+   data channel key has not been initialized, which leads to
+
+ - openvpn_decrypt() returns true if packet length is zero,
+   which leads to
+
+ - process_incoming_link_part1() returns true, which
+   calls multi_process_float(), which commits float
+
+Note that problem doesn't happen when data channel key is initialized,
+since in this case openvpn_decrypt() returns false.
+
+The net effect of this behaviour is that the VPN session for the
+"victim client" is broken.  Since the "attacker client" does not have
+suitable keys, it can not inject or steal VPN traffic from the other
+session.  The time window is small and it can not be used to attack
+a specific client's session, unless some other way is found to make it
+disconnect and reconnect first.
+
+CVE-2020-11810 has been assigned to acknowledge this risk.
+
+Fix illegal float by adding buffer length check ("is this packet still
+considered valid") before calling multi_process_float().
+
+Trac: #1272
+CVE: 2020-11810
+
+Signed-off-by: Lev Stipakov <lev@openvpn.net>
+Acked-by: Arne Schwabe <arne@rfc2549.org>
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/multi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
+index b42bcec97..056e3dc76 100644
+--- a/src/openvpn/multi.c
++++ b/src/openvpn/multi.c
+@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
+             orig_buf = c->c2.buf.data;
+             if (process_incoming_link_part1(c, lsi, floated))
+             {
+-                if (floated)
++                /* nonzero length means that we have a valid, decrypted packed */
++                if (floated && c->c2.buf.len > 0)
+                 {
+                     multi_process_float(m, m->pending);
+                 }
diff -Nru openvpn-2.4.7/debian/patches/CVE-2020-15078.patch openvpn-2.4.7/debian/patches/CVE-2020-15078.patch
--- openvpn-2.4.7/debian/patches/CVE-2020-15078.patch	1970-01-01 01:00:00.000000000 +0100
+++ openvpn-2.4.7/debian/patches/CVE-2020-15078.patch	2021-04-28 16:48:07.000000000 +0200
@@ -0,0 +1,37 @@
+From 0e5516a9d656ce86f7fb370c824344ea1760c255 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Tue, 6 Apr 2021 00:05:21 +0200
+Subject: [PATCH] Ensure key state is authenticated before sending push reply
+
+This ensures that the key state is authenticated when sending
+a push reply.
+---
+ src/openvpn/push.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/push.c b/src/openvpn/push.c
+index 002be2332..52c6e8200 100644
+--- a/src/openvpn/push.c
++++ b/src/openvpn/push.c
+@@ -652,6 +652,7 @@ int
+ process_incoming_push_request(struct context *c)
+ {
+     int ret = PUSH_MSG_ERROR;
++    struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
+ 
+ #ifdef ENABLE_ASYNC_PUSH
+     c->c2.push_request_received = true;
+@@ -662,7 +663,12 @@ process_incoming_push_request(struct context *c)
+         send_auth_failed(c, client_reason);
+         ret = PUSH_MSG_AUTH_FAILURE;
+     }
+-    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
++    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
++             && ks->authenticated
++ #ifdef ENABLE_DEF_AUTH
++             && !ks->auth_deferred
++ #endif
++             )
+     {
+         time_t now;
+ 
diff -Nru openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch
--- openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch	1970-01-01 01:00:00.000000000 +0100
+++ openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch	2021-04-28 16:48:07.000000000 +0200
@@ -0,0 +1,43 @@
+From ec0ca68f4ed1e6aa6f08f470b18e0198b7e5a4da Mon Sep 17 00:00:00 2001
+From: Gert Doering <gert@greenie.muc.de>
+Date: Thu, 15 Aug 2019 17:53:19 +0200
+Subject: [PATCH] Increase listen() backlog queue to 32
+
+For reasons historically unknown, OpenVPN sets the listen() backlog
+queue to "1", which signals the kernel "while there is one TCP connect
+waiting for OpenVPN to handle it, refuse all others" - which, on
+restarting a busy TCP server, will create connection issues.
+
+The exact "best" value of the backlog queue is subject of discussion,
+but for a server that is not extremely busy with many connections
+coming in in parallel, there is no real difference between "10" or "500",
+as long as it's "more than 1".
+
+Found and debugged by "mjo" in Trac.
+
+Trac: #1208
+
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
+Acked-by: David Sommerseth <davids@openvpn.net>
+Message-Id: <20190815155319.28249-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18758.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+(cherry picked from commit 6d8380c78bf77766454b93b49ab2ebf713b0be48)
+---
+ src/openvpn/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
+index c76d20627..9131ec202 100644
+--- a/src/openvpn/socket.c
++++ b/src/openvpn/socket.c
+@@ -1170,7 +1170,7 @@ socket_do_listen(socket_descriptor_t sd,
+         ASSERT(local);
+         msg(M_INFO, "Listening for incoming TCP connection on %s",
+             print_sockaddr(local->ai_addr, &gc));
+-        if (listen(sd, 1))
++        if (listen(sd, 32))
+         {
+             msg(M_ERR, "TCP: listen() failed");
+         }
diff -Nru openvpn-2.4.7/debian/patches/series openvpn-2.4.7/debian/patches/series
--- openvpn-2.4.7/debian/patches/series	2019-02-20 14:50:03.000000000 +0100
+++ openvpn-2.4.7/debian/patches/series	2021-04-28 16:48:07.000000000 +0200
@@ -7,3 +7,6 @@
 spelling_errors.patch
 systemd.patch
 fix-pkcs11-helper-hang.patch
+CVE-2020-11810.patch
+CVE-2020-15078.patch
+increase-tcp-backlog.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: