Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to update openvpn in Buster fixing two no-dsa CVEs and one performance issue. CVE-2020-11810: No Debian Bug#, fixed upstream in 2.4.9 CVE-2020-15078: Bug#987380, cherry-picked for sid/bullseye in 2.5.1-2 TCP performance issue: Bug#968942, fixed upsteam in 2.4.8 Proposed debdiff attached. Brnhard
diffstat for openvpn-2.4.7 openvpn-2.4.7 changelog | 8 ++++ patches/CVE-2020-11810.patch | 65 +++++++++++++++++++++++++++++++++++++ patches/CVE-2020-15078.patch | 37 +++++++++++++++++++++ patches/increase-tcp-backlog.patch | 43 ++++++++++++++++++++++++ patches/series | 3 + 5 files changed, 156 insertions(+) diff -Nru openvpn-2.4.7/debian/changelog openvpn-2.4.7/debian/changelog --- openvpn-2.4.7/debian/changelog 2019-02-20 14:50:03.000000000 +0100 +++ openvpn-2.4.7/debian/changelog 2021-04-28 16:48:07.000000000 +0200 @@ -1,3 +1,11 @@ +openvpn (2.4.7-1+deb10u1) buster; urgency=medium + + * Cherry-Pick upstream patches for CVE-2020-11810 and CVE-2020-15078 + (Closes: #987380) + * Cherry-Pick upstream fix to increase TCP socket backlog (Closes: #968942) + + -- Bernhard Schmidt <be...@debian.org> Wed, 28 Apr 2021 16:48:07 +0200 + openvpn (2.4.7-1) unstable; urgency=medium [ Bernhard Schmidt ] diff -Nru openvpn-2.4.7/debian/patches/CVE-2020-11810.patch openvpn-2.4.7/debian/patches/CVE-2020-11810.patch --- openvpn-2.4.7/debian/patches/CVE-2020-11810.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvpn-2.4.7/debian/patches/CVE-2020-11810.patch 2021-04-28 16:48:07.000000000 +0200 @@ -0,0 +1,65 @@ +From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001 +From: Lev Stipakov <l...@openvpn.net> +Date: Wed, 15 Apr 2020 10:30:17 +0300 +Subject: [PATCH] Fix illegal client float (CVE-2020-11810) + +There is a time frame between allocating peer-id and initializing data +channel key (which is performed on receiving push request or on async +push-reply) in which the existing peer-id float checks do not work right. + +If a "rogue" data channel packet arrives during that time frame from +another address and with same peer-id, this would cause client to float +to that new address. This is because: + + - tls_pre_decrypt() sets packet length to zero if + data channel key has not been initialized, which leads to + + - openvpn_decrypt() returns true if packet length is zero, + which leads to + + - process_incoming_link_part1() returns true, which + calls multi_process_float(), which commits float + +Note that problem doesn't happen when data channel key is initialized, +since in this case openvpn_decrypt() returns false. + +The net effect of this behaviour is that the VPN session for the +"victim client" is broken. Since the "attacker client" does not have +suitable keys, it can not inject or steal VPN traffic from the other +session. The time window is small and it can not be used to attack +a specific client's session, unless some other way is found to make it +disconnect and reconnect first. + +CVE-2020-11810 has been assigned to acknowledge this risk. + +Fix illegal float by adding buffer length check ("is this packet still +considered valid") before calling multi_process_float(). + +Trac: #1272 +CVE: 2020-11810 + +Signed-off-by: Lev Stipakov <l...@openvpn.net> +Acked-by: Arne Schwabe <a...@rfc2549.org> +Acked-by: Antonio Quartulli <anto...@openvpn.net> +Acked-by: Gert Doering <g...@greenie.muc.de> +Message-Id: <20200415073017.22839-1-lstipa...@gmail.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html +Signed-off-by: Gert Doering <g...@greenie.muc.de> +--- + src/openvpn/multi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c +index b42bcec97..056e3dc76 100644 +--- a/src/openvpn/multi.c ++++ b/src/openvpn/multi.c +@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst + orig_buf = c->c2.buf.data; + if (process_incoming_link_part1(c, lsi, floated)) + { +- if (floated) ++ /* nonzero length means that we have a valid, decrypted packed */ ++ if (floated && c->c2.buf.len > 0) + { + multi_process_float(m, m->pending); + } diff -Nru openvpn-2.4.7/debian/patches/CVE-2020-15078.patch openvpn-2.4.7/debian/patches/CVE-2020-15078.patch --- openvpn-2.4.7/debian/patches/CVE-2020-15078.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvpn-2.4.7/debian/patches/CVE-2020-15078.patch 2021-04-28 16:48:07.000000000 +0200 @@ -0,0 +1,37 @@ +From 0e5516a9d656ce86f7fb370c824344ea1760c255 Mon Sep 17 00:00:00 2001 +From: Arne Schwabe <a...@rfc2549.org> +Date: Tue, 6 Apr 2021 00:05:21 +0200 +Subject: [PATCH] Ensure key state is authenticated before sending push reply + +This ensures that the key state is authenticated when sending +a push reply. +--- + src/openvpn/push.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/push.c b/src/openvpn/push.c +index 002be2332..52c6e8200 100644 +--- a/src/openvpn/push.c ++++ b/src/openvpn/push.c +@@ -652,6 +652,7 @@ int + process_incoming_push_request(struct context *c) + { + int ret = PUSH_MSG_ERROR; ++ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; + + #ifdef ENABLE_ASYNC_PUSH + c->c2.push_request_received = true; +@@ -662,7 +663,12 @@ process_incoming_push_request(struct context *c) + send_auth_failed(c, client_reason); + ret = PUSH_MSG_AUTH_FAILURE; + } +- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) ++ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED ++ && ks->authenticated ++ #ifdef ENABLE_DEF_AUTH ++ && !ks->auth_deferred ++ #endif ++ ) + { + time_t now; + diff -Nru openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch --- openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch 2021-04-28 16:48:07.000000000 +0200 @@ -0,0 +1,43 @@ +From ec0ca68f4ed1e6aa6f08f470b18e0198b7e5a4da Mon Sep 17 00:00:00 2001 +From: Gert Doering <g...@greenie.muc.de> +Date: Thu, 15 Aug 2019 17:53:19 +0200 +Subject: [PATCH] Increase listen() backlog queue to 32 + +For reasons historically unknown, OpenVPN sets the listen() backlog +queue to "1", which signals the kernel "while there is one TCP connect +waiting for OpenVPN to handle it, refuse all others" - which, on +restarting a busy TCP server, will create connection issues. + +The exact "best" value of the backlog queue is subject of discussion, +but for a server that is not extremely busy with many connections +coming in in parallel, there is no real difference between "10" or "500", +as long as it's "more than 1". + +Found and debugged by "mjo" in Trac. + +Trac: #1208 + +Signed-off-by: Gert Doering <g...@greenie.muc.de> +Acked-by: Antonio Quartulli <anto...@openvpn.net> +Acked-by: David Sommerseth <dav...@openvpn.net> +Message-Id: <20190815155319.28249-1-g...@greenie.muc.de> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18758.html +Signed-off-by: Gert Doering <g...@greenie.muc.de> +(cherry picked from commit 6d8380c78bf77766454b93b49ab2ebf713b0be48) +--- + src/openvpn/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c +index c76d20627..9131ec202 100644 +--- a/src/openvpn/socket.c ++++ b/src/openvpn/socket.c +@@ -1170,7 +1170,7 @@ socket_do_listen(socket_descriptor_t sd, + ASSERT(local); + msg(M_INFO, "Listening for incoming TCP connection on %s", + print_sockaddr(local->ai_addr, &gc)); +- if (listen(sd, 1)) ++ if (listen(sd, 32)) + { + msg(M_ERR, "TCP: listen() failed"); + } diff -Nru openvpn-2.4.7/debian/patches/series openvpn-2.4.7/debian/patches/series --- openvpn-2.4.7/debian/patches/series 2019-02-20 14:50:03.000000000 +0100 +++ openvpn-2.4.7/debian/patches/series 2021-04-28 16:48:07.000000000 +0200 @@ -7,3 +7,6 @@ spelling_errors.patch systemd.patch fix-pkcs11-helper-hang.patch +CVE-2020-11810.patch +CVE-2020-15078.patch +increase-tcp-backlog.patch