[Openvpn-devel] [PATCH applied] Re: interactive.c: Fix potential stack overflow issue

Tue, 19 Mar 2024 11:09:43 -0700 

As for the two previous windows/CVE patches, this patch was sent "with
ACK included" to the openvpn-devel@ list because it was developed under
embargo (CVE), and reviewed and ACKed in a closed group.  I have verified
that this patch is identical to the "v2" version that Heiko and the original
reporter saw and ACKed. 

The patch looks larger than the actual code change, because to do the
size check the union typedef needs to move outside the function where
it was "local" before.  The actual check is very straightforward - "if
there is more data in the pipe than can fit into a pipe_message_t,
log an error and close this thread" (thus, abandon the process on the
other end that pretends to be openvpn.exe but is misbehaving).

In itself, this bug is annoying, but can not be directly exploited
(because you cannot "just talk to this pipe", but you need to be
openvpn.exe from the install directory).  Combined with other potential
flaws that give an attacker the opportunity to swap the openvpn.exe
binary or get a malicious plugin loaded, this could end up being a
local privilege escalation to SYSTEM.  No exploit is known so far - this
was found by code inspection for missing bounds checks.


I have test compiled this on MinGW and GHA, but did not actually run it.

Your patch has been applied to the master and release/2.6 branch
(security relevant bugfix).  A direct cherrypick to 2.5 fails due to
"sufficiently different code and data structures" so I've asked Lev
to send a 2.5 version which I could review-and-ACK then.

commit 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 (master)
commit 9b2693feff9c49b9485cf94797c1c3502259dbe1 (release/2.6)

Author: Lev Stipakov
Date:   Tue Mar 19 17:27:11 2024 +0200

     interactive.c: Fix potential stack overflow issue

     Signed-off-by: Lev Stipakov <l...@openvpn.net>
     Acked-by: Heiko Hund <he...@openvpn.net>
     Message-Id: <20240319152803.1801-2-...@openvpn.net>
     URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html
     Signed-off-by: Gert Doering <g...@greenie.muc.de>


--
kind regards,

Gert Doering



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to