Apply upstream patch to fix CVE-2014-8104

parent dc964a54
openvpn (2.3.4-5) unstable; urgency=high
* Apply upstream patch that fixes possible DoS by authenticated
clients. CVE-2014-8104
-- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 01 Dec 2014 16:10:37 +0100
openvpn (2.3.4-4) unstable; urgency=medium
* Use dh-systemd in order to enable the service unit.
......
From c5590a6821e37f3b29735f55eb0c2b9c0924138c Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan.karger@fox-it.com>
Date: Thu, 20 Nov 2014 13:43:05 +0100
Subject: [PATCH] Drop too-short control channel packets instead of asserting
out.
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
This bug has been assigned CVE-2014-8104.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/ssl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Index: openvpn/src/openvpn/ssl.c
===================================================================
--- openvpn.orig/src/openvpn/ssl.c 2014-12-01 16:09:43.031080162 +0100
+++ openvpn/src/openvpn/ssl.c 2014-12-01 16:09:43.027080161 +0100
@@ -2028,7 +2028,11 @@
ASSERT (session->opt->key_method == 2);
/* discard leading uint32 */
- ASSERT (buf_advance (buf, 4));
+ if (!buf_advance (buf, 4)) {
+ msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
+ buf->len);
+ goto error;
+ }
/* get key method */
key_method_flags = buf_read_u8 (buf);
......@@ -8,3 +8,4 @@ accommodate_typo.patch
manpage_fixes.patch
better_systemd_detection.patch
client_connect_tmp_files.patch
0001-Drop-too-short-control-channel-packets-instead-of-as.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment