while updating my server infrastructure I discovered that the swupdate.openvpn.net CDN is delivering a corrupted version of the openvpn-2.4.3.tar.gz file via http. The problem appears to be limited to http and to tcp connections originating from Germany. I verified this with ~10 servers at different ISPs in germany, austria and the us. The corrupted version is a valid tar.gz file and it's content is different from the tar file with a valid gpg signature. The changes appear to be limited to the Makefiles. The gentoo package contains the checksums for the corrupted version so I accidentally build the corrupted version before discovering whats going on. The corrupted version builds without error. Up until know I wasn't able to discover malicious code in the corrupted version, but haven't looked at it in deep. The corrupted file is available here: https://masterbase.at/tmp/openvpn/openvpn-2.4.3-corupted.tar.gz signature: https://masterbase.at/tmp/openvpn/openvpn-2.4.3-corupted.tar.gz.asc
(In reply to masterbase from comment #0) > corrupted version before discovering whats going on. The corrupted > version builds without error. Up until know I wasn't able to discover > malicious code in the corrupted version, but haven't looked at it in deep. Thank you for this report. This contains some worrying information, one of which is probable lack of validation of OpenPGP signature from a verified OpenPGP public keyblock at time of version bump. I'll leave it to maintainers of the package to comment on the particular case, but it seems even more likely we need a stronger policy on security aspects (including, but not limited to, finalizing the work for getting the Gentoo repository signed)
Although based on the diff provided in bug 622438 it seems likely this this particular case is a tarball switch due to a re-roll of the release rather than an active attack (but that is just lucky)
I captured the tarball for comparison more: https://dev.gentoo.org/~robbat2/openvpn-2.4.3-weirdness/ Top level LISTING.* is my own signatures so you know nobody else has messed with it meanwhile. Full diff: https://dev.gentoo.org/~robbat2/openvpn-2.4.3-weirdness/eu/http-openvpn-2.4.3_https-openvpn-2.4.3.diff And our tree is fixed meanwhile to use the correct tarball, verified with the upstream key and tracing down PGP WoT.
(In reply to Robin Johnson from comment #3) > I captured the tarball for comparison more: > https://dev.gentoo.org/~robbat2/openvpn-2.4.3-weirdness/ > Top level LISTING.* is my own signatures so you know nobody else has messed > with it meanwhile. > > Full diff: > https://dev.gentoo.org/~robbat2/openvpn-2.4.3-weirdness/eu/http-openvpn-2.4. > 3_https-openvpn-2.4.3.diff > > And our tree is fixed meanwhile to use the correct tarball, verified with > the upstream key and tracing down PGP WoT. Thank you
There doesn't seem to be a need for this bug to be private at this stage, opening up.
Created attachment 477598 [details] openpgp verification results of the various downloaded files Attached results of verification from the various sources
Upstream flubbed their own tarball release, not actually a security issue at all.
(In reply to Robin Johnson from comment #7) > Upstream flubbed their own tarball release, not actually a security issue at > all. Thank you for the confirmation, I still don't like that the OpenPGP signature doesn't match with the version that got into our Manifest, but it is nothing more for security-audit to do here except to urge for an improvement in maintainer workflow.