From 48eb5a9bd56e639a973a4c74c81d66ca857a4810c9688a490e9c80ad6cfb0d96 Mon Sep 17 00:00:00 2001 From: Nirmoy Das Date: Tue, 10 Oct 2017 14:11:53 +0000 Subject: [PATCH] Accepting request 533031 from home:ndas:branches:network:vpn - Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877). [+ 0002-Fix-bounds-check-in-read_key.patch] OBS-URL: https://build.opensuse.org/request/show/533031 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=127 --- 0002-Fix-bounds-check-in-read_key.patch | 58 +++++++++++++++++++++++++ openvpn.changes | 6 +++ openvpn.spec | 2 + 3 files changed, 66 insertions(+) create mode 100644 0002-Fix-bounds-check-in-read_key.patch diff --git a/0002-Fix-bounds-check-in-read_key.patch b/0002-Fix-bounds-check-in-read_key.patch new file mode 100644 index 0000000..3a81f40 --- /dev/null +++ b/0002-Fix-bounds-check-in-read_key.patch @@ -0,0 +1,58 @@ +From 3b1a61e9fb27213c46f76312f4065816bee8ed01 Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Tue, 15 Aug 2017 10:04:33 +0200 +Subject: [PATCH] Fix bounds check in read_key() + +The bounds check in read_key() was performed after using the value, instead +of before. If 'key-method 1' is used, this allowed an attacker to send a +malformed packet to trigger a stack buffer overflow. + +Fix this by moving the input validation to before the writes. + +Note that 'key-method 1' has been replaced by 'key method 2' as the default +in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4 +and marked for removal in 2.5. This should limit the amount of users +impacted by this issue. + +CVE: 2017-12166 +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Acked-by: David Sommerseth +Message-Id: <80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com> +URL: https://www.mail-archive.com/search?l=mid&q=80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com +Signed-off-by: David Sommerseth +--- + src/openvpn/crypto.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c +index 131257e5..3f3caa1c 100644 +--- a/src/openvpn/crypto.c ++++ b/src/openvpn/crypto.c +@@ -1666,6 +1666,11 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf) + goto read_err; + } + ++ if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length) ++ { ++ goto key_len_err; ++ } ++ + if (!buf_read(buf, key->cipher, cipher_length)) + { + goto read_err; +@@ -1675,11 +1680,6 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf) + goto read_err; + } + +- if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length) +- { +- goto key_len_err; +- } +- + return 1; + + read_err: +-- +2.13.6 + diff --git a/openvpn.changes b/openvpn.changes index 2605220..edffa19 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 10 14:10:30 CEST 2017 - ndas@suse.de + +- Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877). + [+ 0002-Fix-bounds-check-in-read_key.patch] + ------------------------------------------------------------------- Fri Aug 11 13:43:39 UTC 2017 - sebix+novell.com@sebix.at diff --git a/openvpn.spec b/openvpn.spec index 8f9be63..a4f7826 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -54,6 +54,7 @@ Patch6: %{name}-fips140-2.3.2.patch Patch7: openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch Patch8: openvpn-2.3.x-fixed-multiple-low-severity-issues.patch Patch9: 0001-preform-deferred-authentication-in-the-background.patch +Patch10: 0002-Fix-bounds-check-in-read_key.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: iproute2 BuildRequires: lzo-devel @@ -141,6 +142,7 @@ This package provides the header file to build external plugins. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c