Version in base suite: 2.6.3-1+deb12u1 Base version: openvpn_2.6.3-1+deb12u1 Target version: openvpn_2.6.3-1+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openvpn/openvpn_2.6.3-1+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openvpn/openvpn_2.6.3-1+deb12u2.dsc changelog | 10 +++ patches/CVE-2023-46849.patch | 113 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2023-46850.patch | 53 ++++++++++++++++++++ patches/series | 2 4 files changed, 178 insertions(+) diff -Nru openvpn-2.6.3/debian/changelog openvpn-2.6.3/debian/changelog --- openvpn-2.6.3/debian/changelog 2023-06-21 19:41:33.000000000 +0000 +++ openvpn-2.6.3/debian/changelog 2023-11-11 22:21:37.000000000 +0000 @@ -1,3 +1,13 @@ +openvpn (2.6.3-1+deb12u2) bookworm-security; urgency=medium + + * Cherry-Pick upstream fixes for two CVEs + - CVE-2023-46849: Use of --fragment option can lead to a division by zero + error which can be fatal + - CVE-2023-46850: Incorrect use of send buffer can cause memory to be sent + to peer + + -- Bernhard Schmidt Sat, 11 Nov 2023 23:21:37 +0100 + openvpn (2.6.3-1+deb12u1) bookworm; urgency=medium * Cherry-pick two bugfix commits from upstream diff -Nru openvpn-2.6.3/debian/patches/CVE-2023-46849.patch openvpn-2.6.3/debian/patches/CVE-2023-46849.patch --- openvpn-2.6.3/debian/patches/CVE-2023-46849.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvpn-2.6.3/debian/patches/CVE-2023-46849.patch 2023-11-11 22:21:37.000000000 +0000 @@ -0,0 +1,113 @@ +From 1cfca659244e362f372d9843351257f456392a2f Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Thu, 19 Oct 2023 15:14:33 +0200 +Subject: [PATCH] Remove saving initial frame code + +This code was necessary before the frame/buffer refactoring as we +always did relative adjustment to the frame. + +This also fixes also that previously initial_frame was initialised too +early before the fragment related options were initialised and contained +0 for the maximum frame size. This resulted in a DIV by 0 that caused an +abort on platforms that throw an exception for that. + +CVE: 2023-46849 + +Only people with --fragment in their config are affected + +Change-Id: Icc612bab5700879606290639e1b8773f61ec670d +Signed-off-by: Arne Schwabe +Acked-by: David Sommerseth +Acked-by: Heiko Hund +Message-Id: <20231108124947.76816-1-gert@greenie.muc.de> +URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de +Signed-off-by: Gert Doering +--- + src/openvpn/forward.c | 9 --------- + src/openvpn/init.c | 19 ++++++++----------- + src/openvpn/openvpn.h | 3 --- + 3 files changed, 8 insertions(+), 23 deletions(-) + +diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c +index 2510410f905..0443ca0a01f 100644 +--- a/src/openvpn/forward.c ++++ b/src/openvpn/forward.c +@@ -1078,15 +1078,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo + if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, + floated, &ad_start)) + { +- /* Restore pre-NCP frame parameters */ +- if (is_hard_reset_method2(opcode)) +- { +- c->c2.frame = c->c2.frame_initial; +-#ifdef ENABLE_FRAGMENT +- c->c2.frame_fragment = c->c2.frame_fragment_initial; +-#endif +- } +- + interval_action(&c->c2.tmp_int); + + /* reset packet received timer if TLS packet */ +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 6fb6900de67..079c4f5e18f 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -3547,15 +3547,6 @@ do_init_frame(struct context *c) + */ + frame_finalize_options(c, NULL); + +-#ifdef ENABLE_FRAGMENT +- /* +- * Set frame parameter for fragment code. This is necessary because +- * the fragmentation code deals with payloads which have already been +- * passed through the compression code. +- */ +- c->c2.frame_fragment = c->c2.frame; +- c->c2.frame_fragment_initial = c->c2.frame_fragment; +-#endif + + #if defined(ENABLE_FRAGMENT) + /* +@@ -3751,6 +3742,14 @@ static void + do_init_fragment(struct context *c) + { + ASSERT(c->options.ce.fragment); ++ ++ /* ++ * Set frame parameter for fragment code. This is necessary because ++ * the fragmentation code deals with payloads which have already been ++ * passed through the compression code. ++ */ ++ c->c2.frame_fragment = c->c2.frame; ++ + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, + &c->options, get_link_socket_info(c)); + fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); +@@ -4658,8 +4657,6 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f + c->c2.did_open_tun = do_open_tun(c, &error_flags); + } + +- c->c2.frame_initial = c->c2.frame; +- + /* print MTU info */ + do_print_data_channel_mtu_parms(c); + +diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h +index 077effeb9ec..5b2be63f98c 100644 +--- a/src/openvpn/openvpn.h ++++ b/src/openvpn/openvpn.h +@@ -249,14 +249,11 @@ struct context_2 + + /* MTU frame parameters */ + struct frame frame; /* Active frame parameters */ +- struct frame frame_initial; /* Restored on new session */ + + #ifdef ENABLE_FRAGMENT + /* Object to handle advanced MTU negotiation and datagram fragmentation */ + struct fragment_master *fragment; + struct frame frame_fragment; +- struct frame frame_fragment_initial; +- struct frame frame_fragment_omit; + #endif + + /* diff -Nru openvpn-2.6.3/debian/patches/CVE-2023-46850.patch openvpn-2.6.3/debian/patches/CVE-2023-46850.patch --- openvpn-2.6.3/debian/patches/CVE-2023-46850.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvpn-2.6.3/debian/patches/CVE-2023-46850.patch 2023-11-11 22:21:37.000000000 +0000 @@ -0,0 +1,53 @@ +From a0afe035cbca26f8c74b670a8c2a20b3d9c2294b Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Fri, 27 Oct 2023 14:19:37 +0200 +Subject: [PATCH] Fix using to_link buffer after freed + +When I refactored the tls_state_change method in +9a7b95fda5 I accidentally changed a break into +a return true while it should return a false. + +The code here is extremely fragile in the sense +that it assumes that settings a keystate to S_ERROR +cannot have any outgoing buffer or we will have a +use after free. The previous break and now restored +return false ensure this by skipping any further +tls_process_state loops that might set to ks->S_ERROR +and ensure that the to_link is sent out and cleared +before having more loops in tls_state_change. + +CVE: 2023-46850 + +This affects everyone, even with tls-auth/tls-crypt enabled. + +Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 +Signed-off-by: Arne Schwabe +Acked-by: David Sommerseth +Acked-by: Heiko Hund +Message-Id: <20231108124947.76816-3-gert@greenie.muc.de> +URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de +Signed-off-by: Gert Doering +(cherry picked from commit 57a5cd1e12f193927c9b7429f8778fec7e04c50a) +--- + src/openvpn/ssl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index e15f951d6a0..cee4afe19f3 100644 +--- a/src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -2903,7 +2903,13 @@ tls_process_state(struct tls_multi *multi, + CONTROL_SEND_ACK_MAX, true); + *to_link = b; + dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP"); +- return true; ++ ++ /* This changed the state of the outgoing buffer. In order to avoid ++ * running this function again/further and invalidating the key_state ++ * buffer and accessing the buffer that is now in to_link after it being ++ * freed for a potential error, we shortcircuit exiting of the outer ++ * process here. */ ++ return false; + } + + /* Write incoming ciphertext to TLS object */ diff -Nru openvpn-2.6.3/debian/patches/series openvpn-2.6.3/debian/patches/series --- openvpn-2.6.3/debian/patches/series 2023-06-21 19:41:33.000000000 +0000 +++ openvpn-2.6.3/debian/patches/series 2023-11-11 22:21:37.000000000 +0000 @@ -5,3 +5,5 @@ systemd.patch fix-dangling-pointer-in-pkcs11.patch fix-memleak-in-dco_get_peer_stats_multi.patch +CVE-2023-46849.patch +CVE-2023-46850.patch