An advisory has been issued today (September 28): http://openwall.com/lists/oss-security/2017/09/28/2 The issue is fixed upstream in 2.4.4 and 2.3.18. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered openvpn maintainer.
CC: (none) => marja11Assignee: bugsquad => bruno
I submitted packages for cauldron, 6 and 5. (No advisory made for now)
Status: NEW => ASSIGNED
Thanks Bruno! Advisory: ======================== Updated openvpn packages fix security vulnerabilities: The bounds check in read_key() was performed after using the value, instead of before. If 'key-method 1' is used, this allowed an attacker to send a malformed packet to trigger a stack buffer overflow. Note that 'key-method 1' has been replaced by 'key method 2' as the default in OpenVPN 2.0 (CVE-2017-12166). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12166 https://community.openvpn.net/openvpn/wiki/CVE-2017-12166 https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 ======================== Updated packages in core/updates_testing: ======================== openvpn-2.3.18-1.mga5 libopenvpn-devel-2.3.18-1.mga5 openvpn-2.4.4-1.mga6 libopenvpn-devel-2.4.4-1.mga6 from SRPMS: openvpn-2.3.18-1.mga5.src.rpm openvpn-2.4.4-1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => brunoAssignee: bruno => qa-bugsVersion: Cauldron => 6
Is there a How-To page on how to set up OpenVPN on Mageia? Thanks
CC: (none) => wilcal.int
How do you set up OpenVPN asked on Mageia forum. https://forums.mageia.org/en/viewtopic.php?f=8&t=12033
This may help as a simple test. https://bugs.mageia.org/show_bug.cgi?id=18478#c2
CC: (none) => brtians1
I have created an exploit patch and tested on MGA6 x86_64, comparing openvpn-2.4.3-1.mga6.src.rpm with openvpn-2.4.4-1.mga6.src.rpm. With this patch applied to the client part of a test installation (as described in the link of comment #6), the server part of 2.4.3 could be crashed on my system. With 2.4.4. there was no crash, the fake key was contained. I'm attaching the patch.
CC: (none) => digidietze
Created attachment 9716 [details] Patch against openvpn 2.4.3 to exploit CVE-2017-12166
If I had the permission, I would add "MGA6-64-OK" to the whiteboard ...
Addendum: Obviously (but not explicitly stated before) the test configurations for server and client must be appended with the parameter "key-method 1".
Whiteboard: MGA5TOO => MGA5TOO, MGA6-64-OK
Whiteboard: MGA5TOO, MGA6-64-OK => has_procedure, MGA5TOO, MGA6-64-OK
Test from comment #7 repeated for MGA6-32. Same result - version 2.4.4 catches and contains the fake key.
Whiteboard: has_procedure, MGA5TOO, MGA6-64-OK => has_procedure, MGA5TOO, MGA6-32-OK, MGA6-64-OK
Created attachment 9733 [details] Patch against openvpn 2.3.6 to exploit CVE-2017-12166 Slightly different format for MGA5
Test from comment #7 repeated for MGA5-64 with patch for version 2.3.6. Version 2.3.6 crashes when receiving the fake key. Version 2.3.18 catches and contains the fake key. Test repeated for MGA5-32. Same result.
Whiteboard: has_procedure, MGA5TOO, MGA6-32-OK, MGA6-64-OK => has_procedure, MGA6-32-OK, MGA6-64-OK, MGA5-32-OK, MGA5-64-OK
Whiteboard: has_procedure, MGA6-32-OK, MGA6-64-OK, MGA5-32-OK, MGA5-64-OK => has_procedure MGA5TOO MGA6-32-OK MGA6-64-OK MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0372.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
The Mageia 5 update was never pushed. It is missing from the SVN advisory.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
SVN advisory fixed. Please push openvpn-2.3.18-1.mga5 to core/updates.
openvpn-2.3.18-1.mga5 moved.
Resolution: (none) => FIXEDCC: (none) => tmbStatus: REOPENED => RESOLVED