Package: openvpn-auth-ldap Version: 2.0.3-6.1 Severity: normal Dear Maintainer,
This is very similar to bug #680166 and was originally reported against Ubuntu as https://pad.lv/1602813 and upstream as https://github.com/threerings/openvpn-auth-ldap/issues/11. The ldap_result() return code is only checked against -1 and misses the timeout case, where it returns 0. As a result an assertion failure happens later on and the openvpn daemon crashes and exits. It's the same assertion error that happens in Debian's #680166, but the proper fix for that case needs more work, that's why I'm filing a new bug. The fix is in these two commits: https://git.io/v9LtS https://git.io/v9Lt1 To reproduce the problem, configure an openvpn server as usual with certificates and: - add the plugin configuration line: plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/ldap.conf - in /etc/openvpn/ldap.conf: <LDAP> BindDN uid=john,ou=people,dc=example Password something URL ldap://localhost Timeout 1 TLSEnable no FollowReferrals yes </LDAP> # no need for an <Authorization> section - start nc on port 389: nc -l -p 389 - start the openvpn server Next you will need an openvpn client, also configured with the SSL certs as usual, plus "auth-user-pass". When you start this openvpn client, it will prompt you for username and password. The values you provide are irrelevant: (...) Enter Auth Username: asd Enter Auth Password: *** The vulnerable server will crash, whereas one with the patches will just complain about a timeout error. This was reproduced and tested on a Debian Stretch container on an Ubuntu host, that's why the kernel info below is from Ubuntu. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-72-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openvpn-auth-ldap depends on: ii gnustep-base-runtime 1.24.9-3.1 ii libc6 2.24-9 ii libgcc1 1:6.3.0-14 ii libgnustep-base1.24 1.24.9-3.1 ii libldap-2.4-2 2.4.44+dfsg-3 ii libobjc4 6.3.0-14 ii openvpn 2.4.0-4 openvpn-auth-ldap recommends no packages. openvpn-auth-ldap suggests no packages. -- no debconf information
