On Thu, Jun 22, 2017 at 11:16:04AM +0200, Raphael Hertzog wrote: > Hello Alberto, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of openvpn: > https://security-tracker.debian.org/tracker/CVE-2017-7508 > https://security-tracker.debian.org/tracker/CVE-2017-7520 > https://security-tracker.debian.org/tracker/CVE-2017-7521 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-...@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not.
Hi, Yep, the workflow seems a bit messy for an overworked newcomer. Please find attached the corresponding debdiff. I have tested the resulting package in one of my servers (not that many wheezy around these days) and seems to work fine. Thanks, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru openvpn-2.2.1/debian/changelog openvpn-2.2.1/debian/changelog --- openvpn-2.2.1/debian/changelog 2017-05-12 15:39:52.000000000 +0200 +++ openvpn-2.2.1/debian/changelog 2017-06-22 18:58:30.000000000 +0200 @@ -1,3 +1,11 @@ +openvpn (2.2.1-8+deb7u5) wheezy-security; urgency=low + + * The "Bye bye OpenVPN" release. + * patches/CVE-2017-7520.patch: Prevent two kinds of stack buffer OOB reads + and a crash for invalid input data. (CVE-2017-7520) + + -- Alberto Gonzalez Iniesta <a...@inittab.org> Thu, 22 Jun 2017 18:53:39 +0200 + openvpn (2.2.1-8+deb7u4) wheezy-security; urgency=medium * Non-maintainer upload by the Debian LTS team. diff -Nru openvpn-2.2.1/debian/patches/CVE-2017-7520.patch openvpn-2.2.1/debian/patches/CVE-2017-7520.patch --- openvpn-2.2.1/debian/patches/CVE-2017-7520.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvpn-2.2.1/debian/patches/CVE-2017-7520.patch 2017-06-22 18:56:54.000000000 +0200 @@ -0,0 +1,56 @@ +commit 4bec9d25d519a56bc40458e947d3dfa964b82b13 +Author: Guido Vranken <guidovran...@gmail.com> +Date: Fri May 19 14:04:25 2017 +0200 + + Prevent two kinds of stack buffer OOB reads and a crash for invalid input data + + Pre-authentication remote crash/information disclosure for clients + + If clients use a HTTP proxy with NTLM authentication (i.e. + "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"), + a man-in-the-middle attacker between the client and the proxy can + cause the client to crash or disclose at most 96 bytes of stack + memory. The disclosed stack memory is likely to contain the proxy + password. + + If the proxy password is not reused, this is unlikely to compromise + the security of the OpenVPN tunnel itself. Clients who do not use + the --http-proxy option with ntlm2 authentication are not affected. + + CVE: 2017-7520 + Signed-off-by: Guido Vranken <guidovran...@gmail.com> + Acked-by: Gert Doering <g...@greenie.muc.de> + Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com> + URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=c62dzaxn32w...@mail.gmail.com + Signed-off-by: Gert Doering <g...@greenie.muc.de> + (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77) + (cherry picked from commit f38a4a105979b87ebebe9be1c3d323116d3fb924) + +Index: openvpn-2.2.1/ntlm.c +=================================================================== +--- openvpn-2.2.1.orig/ntlm.c 2011-06-24 08:13:39.000000000 +0200 ++++ openvpn-2.2.1/ntlm.c 2017-06-22 18:56:50.624960031 +0200 +@@ -190,7 +190,7 @@ + */ + + char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */ +- char buf2[128]; /* decoded reply from proxy */ ++ unsigned char buf2[128]; /* decoded reply from proxy */ + unsigned char phase3[464]; + + char md4_hash[21]; +@@ -281,7 +281,13 @@ + tib_len = buf2[0x28];/* Get Target Information block size */ + if (tib_len > 96) tib_len = 96; + { +- char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ ++ char *tib_ptr; ++ int tib_pos = buf2[0x2c]; ++ if (tib_pos + tib_len > sizeof(buf2)) ++ { ++ return NULL; ++ } ++ tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */ + memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ + } + } else { diff -Nru openvpn-2.2.1/debian/patches/series openvpn-2.2.1/debian/patches/series --- openvpn-2.2.1/debian/patches/series 2017-05-12 15:39:38.000000000 +0200 +++ openvpn-2.2.1/debian/patches/series 2017-06-22 18:56:45.000000000 +0200 @@ -15,3 +15,4 @@ update_sample_certs.patch CVE-2017-7479_1.patch CVE-2017-7479_2.patch +CVE-2017-7520.patch
