Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=40a6c298a6c444cceb832ad1df5f7afe1fe9588f
commit 40a6c298a6c444cceb832ad1df5f7afe1fe9588f Author: kikadf <[email protected]> Date: Sun Oct 5 10:18:56 2014 +0200 openvpn-2.1.3-7-x86_64 * Fix CVE-2013-2061 diff --git a/source/network-extra/openvpn/CVE-2013-2061.patch b/source/network-extra/openvpn/CVE-2013-2061.patch new file mode 100644 index 0000000..91283d0 --- /dev/null +++ b/source/network-extra/openvpn/CVE-2013-2061.patch @@ -0,0 +1,80 @@ +Backport of: + +From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001 +From: Steffan Karger <[email protected]> +Date: Tue, 19 Mar 2013 13:01:50 +0100 +Subject: [PATCH] Use constant time memcmp when comparing HMACs in + openvpn_decrypt. + +Signed-off-by: Steffan Karger <[email protected]> +Acked-by: Gert Doering <[email protected]> +Signed-off-by: Gert Doering <[email protected]> +--- + src/openvpn/buffer.h | 8 ++++++++ + src/openvpn/crypto.c | 20 +++++++++++++++++++- + 2 files changed, 27 insertions(+), 1 deletion(-) + +Index: openvpn-2.2.1/buffer.h +=================================================================== +--- openvpn-2.2.1.orig/buffer.h 2014-09-30 14:55:10.821364908 -0400 ++++ openvpn-2.2.1/buffer.h 2014-09-30 14:55:10.813364908 -0400 +@@ -620,6 +620,10 @@ + } + } + ++/** ++ * Compare src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match (const struct buffer *src, const void *match, int size) + { +@@ -628,6 +632,10 @@ + return memcmp (BPTR (src), match, size) == 0; + } + ++/** ++ * Compare first size bytes of src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match_head (const struct buffer *src, const void *match, int size) + { +Index: openvpn-2.2.1/crypto.c +=================================================================== +--- openvpn-2.2.1.orig/crypto.c 2014-09-30 14:55:10.821364908 -0400 ++++ openvpn-2.2.1/crypto.c 2014-09-30 14:55:10.813364908 -0400 +@@ -70,6 +70,24 @@ + #define CRYPT_ERROR(format) \ + do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) + ++/** ++ * As memcmp(), but constant-time. ++ * Returns 0 when data is equal, non-zero otherwise. ++ */ ++static int ++memcmp_constant_time (const void *a, const void *b, size_t size) { ++ const uint8_t * a1 = a; ++ const uint8_t * b1 = b; ++ int ret = 0; ++ size_t i; ++ ++ for (i = 0; i < size; i++) { ++ ret |= *a1++ ^ *b1++; ++ } ++ ++ return ret; ++} ++ + void + openvpn_encrypt (struct buffer *buf, struct buffer work, + const struct crypto_options *opt, +@@ -254,7 +272,7 @@ + ASSERT (hmac_len == in_hmac_len); + + /* Compare locally computed HMAC with packet HMAC */ +- if (memcmp (local_hmac, BPTR (buf), hmac_len)) ++ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len)) + CRYPT_ERROR ("packet HMAC authentication failed"); + + ASSERT (buf_advance (buf, hmac_len)); diff --git a/source/network-extra/openvpn/FrugalBuild b/source/network-extra/openvpn/FrugalBuild index 0eb9e31..b019057 100644 --- a/source/network-extra/openvpn/FrugalBuild +++ b/source/network-extra/openvpn/FrugalBuild @@ -4,7 +4,7 @@ pkgname=openvpn pkgver=2.1.3 -pkgrel=6 +pkgrel=7 pkgdesc="A secure tunneling daemon" url="http://www.openvpn.org/"; depends=('openssl>=1.0.0' 'lzo' 'pam') @@ -17,6 +17,11 @@ sha1sums=('91058e78c58c2e66298c7132bea1ddba52baaa82' \ _F_systemd_units=(openvpn@=) Finclude systemd +# FSA fix *** +source=(${source[@]} CVE-2013-2061.patch) +sha1sums=(${sha1sums[@]} '482b91d4943f6c53d630423477bb8ff35d98f625') +# *********** + build() { Fbuild --sysconfdir=/etc/openvpn --prefix=/usr _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
