Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
I would like to update openvpn in Buster fixing two no-dsa CVEs and one
performance issue.
CVE-2020-11810: No Debian Bug#, fixed upstream in 2.4.9
CVE-2020-15078: Bug#987380, cherry-picked for sid/bullseye in 2.5.1-2
TCP performance issue: Bug#968942, fixed upsteam in 2.4.8
Proposed debdiff attached.
Brnhard
diffstat for openvpn-2.4.7 openvpn-2.4.7
changelog | 8 ++++
patches/CVE-2020-11810.patch | 65 +++++++++++++++++++++++++++++++++++++
patches/CVE-2020-15078.patch | 37 +++++++++++++++++++++
patches/increase-tcp-backlog.patch | 43 ++++++++++++++++++++++++
patches/series | 3 +
5 files changed, 156 insertions(+)
diff -Nru openvpn-2.4.7/debian/changelog openvpn-2.4.7/debian/changelog
--- openvpn-2.4.7/debian/changelog 2019-02-20 14:50:03.000000000 +0100
+++ openvpn-2.4.7/debian/changelog 2021-04-28 16:48:07.000000000 +0200
@@ -1,3 +1,11 @@
+openvpn (2.4.7-1+deb10u1) buster; urgency=medium
+
+ * Cherry-Pick upstream patches for CVE-2020-11810 and CVE-2020-15078
+ (Closes: #987380)
+ * Cherry-Pick upstream fix to increase TCP socket backlog (Closes: #968942)
+
+ -- Bernhard Schmidt <be...@debian.org> Wed, 28 Apr 2021 16:48:07 +0200
+
openvpn (2.4.7-1) unstable; urgency=medium
[ Bernhard Schmidt ]
diff -Nru openvpn-2.4.7/debian/patches/CVE-2020-11810.patch
openvpn-2.4.7/debian/patches/CVE-2020-11810.patch
--- openvpn-2.4.7/debian/patches/CVE-2020-11810.patch 1970-01-01
01:00:00.000000000 +0100
+++ openvpn-2.4.7/debian/patches/CVE-2020-11810.patch 2021-04-28
16:48:07.000000000 +0200
@@ -0,0 +1,65 @@
+From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
+From: Lev Stipakov <l...@openvpn.net>
+Date: Wed, 15 Apr 2020 10:30:17 +0300
+Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
+
+There is a time frame between allocating peer-id and initializing data
+channel key (which is performed on receiving push request or on async
+push-reply) in which the existing peer-id float checks do not work right.
+
+If a "rogue" data channel packet arrives during that time frame from
+another address and with same peer-id, this would cause client to float
+to that new address. This is because:
+
+ - tls_pre_decrypt() sets packet length to zero if
+ data channel key has not been initialized, which leads to
+
+ - openvpn_decrypt() returns true if packet length is zero,
+ which leads to
+
+ - process_incoming_link_part1() returns true, which
+ calls multi_process_float(), which commits float
+
+Note that problem doesn't happen when data channel key is initialized,
+since in this case openvpn_decrypt() returns false.
+
+The net effect of this behaviour is that the VPN session for the
+"victim client" is broken. Since the "attacker client" does not have
+suitable keys, it can not inject or steal VPN traffic from the other
+session. The time window is small and it can not be used to attack
+a specific client's session, unless some other way is found to make it
+disconnect and reconnect first.
+
+CVE-2020-11810 has been assigned to acknowledge this risk.
+
+Fix illegal float by adding buffer length check ("is this packet still
+considered valid") before calling multi_process_float().
+
+Trac: #1272
+CVE: 2020-11810
+
+Signed-off-by: Lev Stipakov <l...@openvpn.net>
+Acked-by: Arne Schwabe <a...@rfc2549.org>
+Acked-by: Antonio Quartulli <anto...@openvpn.net>
+Acked-by: Gert Doering <g...@greenie.muc.de>
+Message-Id: <20200415073017.22839-1-lstipa...@gmail.com>
+URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
+Signed-off-by: Gert Doering <g...@greenie.muc.de>
+---
+ src/openvpn/multi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
+index b42bcec97..056e3dc76 100644
+--- a/src/openvpn/multi.c
++++ b/src/openvpn/multi.c
+@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m,
struct multi_instance *inst
+ orig_buf = c->c2.buf.data;
+ if (process_incoming_link_part1(c, lsi, floated))
+ {
+- if (floated)
++ /* nonzero length means that we have a valid, decrypted
packed */
++ if (floated && c->c2.buf.len > 0)
+ {
+ multi_process_float(m, m->pending);
+ }
diff -Nru openvpn-2.4.7/debian/patches/CVE-2020-15078.patch
openvpn-2.4.7/debian/patches/CVE-2020-15078.patch
--- openvpn-2.4.7/debian/patches/CVE-2020-15078.patch 1970-01-01
01:00:00.000000000 +0100
+++ openvpn-2.4.7/debian/patches/CVE-2020-15078.patch 2021-04-28
16:48:07.000000000 +0200
@@ -0,0 +1,37 @@
+From 0e5516a9d656ce86f7fb370c824344ea1760c255 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <a...@rfc2549.org>
+Date: Tue, 6 Apr 2021 00:05:21 +0200
+Subject: [PATCH] Ensure key state is authenticated before sending push reply
+
+This ensures that the key state is authenticated when sending
+a push reply.
+---
+ src/openvpn/push.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/push.c b/src/openvpn/push.c
+index 002be2332..52c6e8200 100644
+--- a/src/openvpn/push.c
++++ b/src/openvpn/push.c
+@@ -652,6 +652,7 @@ int
+ process_incoming_push_request(struct context *c)
+ {
+ int ret = PUSH_MSG_ERROR;
++ struct key_state *ks =
&c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
+
+ #ifdef ENABLE_ASYNC_PUSH
+ c->c2.push_request_received = true;
+@@ -662,7 +663,12 @@ process_incoming_push_request(struct context *c)
+ send_auth_failed(c, client_reason);
+ ret = PUSH_MSG_AUTH_FAILURE;
+ }
+- else if (!c->c2.push_reply_deferred && c->c2.context_auth ==
CAS_SUCCEEDED)
++ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
++ && ks->authenticated
++ #ifdef ENABLE_DEF_AUTH
++ && !ks->auth_deferred
++ #endif
++ )
+ {
+ time_t now;
+
diff -Nru openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch
openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch
--- openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch 1970-01-01
01:00:00.000000000 +0100
+++ openvpn-2.4.7/debian/patches/increase-tcp-backlog.patch 2021-04-28
16:48:07.000000000 +0200
@@ -0,0 +1,43 @@
+From ec0ca68f4ed1e6aa6f08f470b18e0198b7e5a4da Mon Sep 17 00:00:00 2001
+From: Gert Doering <g...@greenie.muc.de>
+Date: Thu, 15 Aug 2019 17:53:19 +0200
+Subject: [PATCH] Increase listen() backlog queue to 32
+
+For reasons historically unknown, OpenVPN sets the listen() backlog
+queue to "1", which signals the kernel "while there is one TCP connect
+waiting for OpenVPN to handle it, refuse all others" - which, on
+restarting a busy TCP server, will create connection issues.
+
+The exact "best" value of the backlog queue is subject of discussion,
+but for a server that is not extremely busy with many connections
+coming in in parallel, there is no real difference between "10" or "500",
+as long as it's "more than 1".
+
+Found and debugged by "mjo" in Trac.
+
+Trac: #1208
+
+Signed-off-by: Gert Doering <g...@greenie.muc.de>
+Acked-by: Antonio Quartulli <anto...@openvpn.net>
+Acked-by: David Sommerseth <dav...@openvpn.net>
+Message-Id: <20190815155319.28249-1-g...@greenie.muc.de>
+URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18758.html
+Signed-off-by: Gert Doering <g...@greenie.muc.de>
+(cherry picked from commit 6d8380c78bf77766454b93b49ab2ebf713b0be48)
+---
+ src/openvpn/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
+index c76d20627..9131ec202 100644
+--- a/src/openvpn/socket.c
++++ b/src/openvpn/socket.c
+@@ -1170,7 +1170,7 @@ socket_do_listen(socket_descriptor_t sd,
+ ASSERT(local);
+ msg(M_INFO, "Listening for incoming TCP connection on %s",
+ print_sockaddr(local->ai_addr, &gc));
+- if (listen(sd, 1))
++ if (listen(sd, 32))
+ {
+ msg(M_ERR, "TCP: listen() failed");
+ }
diff -Nru openvpn-2.4.7/debian/patches/series
openvpn-2.4.7/debian/patches/series
--- openvpn-2.4.7/debian/patches/series 2019-02-20 14:50:03.000000000 +0100
+++ openvpn-2.4.7/debian/patches/series 2021-04-28 16:48:07.000000000 +0200
@@ -7,3 +7,6 @@
spelling_errors.patch
systemd.patch
fix-pkcs11-helper-hang.patch
+CVE-2020-11810.patch
+CVE-2020-15078.patch
+increase-tcp-backlog.patch
