917272 – (CVE-2023-46849, CVE-2023-46850) <net-vpn/openvpn-2.6.7: Multiple vulnerabilities

Bug 917272 (CVE-2023-46849, CVE-2023-46850) - <net-vpn/openvpn-2.6.7: Multiple vulnerabilities

Summary: <net-vpn/openvpn-2.6.7: Multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2023-46849, CVE-2023-46850

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa+ cleanup]
Keywords:

Depends on:	909376 921375
Blocks:
	Show dependency tree

Reported:	2023-11-13 03:24 UTC by Sam James
Modified:	2024-09-22 06:36 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/OpenVPN/openvpn/issues/449 https://gerrit.openvpn.net/c/openvpn/+/426
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-11-13 03:24:21 UTC

From the 2.6.7 release notes:
"""
CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)

CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash. (Github #400, #417).
"""

Comment 1 Antonio Quartulli 2023-11-15 09:32:28 UTC

Unfortunately openvpn-2.6.7 comes with a bug that causes segfaults under some conditions and people have already reported crashes.
See: https://github.com/OpenVPN/openvpn/issues/449

A mitigation patch can be found in the ticket above or on the official gerrit:
https://gerrit.openvpn.net/c/openvpn/+/426

May I suggest to urgently include this patch and push out 2.6.7_p1 ?

Thanks a lot!

Comment 2 rpimonitrbtch 2023-11-19 23:24:54 UTC

Or, since 2.6.8 has been released to address the segfaults, just go with that instead.

Comment 3 Sam James archtester

2024-01-05 07:35:03 UTC

I'm sorry nobody spotted that. Looking now.

Comment 4 Larry the Git Cow gentoo-dev

2024-01-05 07:36:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa82e5ca6c5ccdee72b6c8373491b447f5a86807

commit fa82e5ca6c5ccdee72b6c8373491b447f5a86807
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-01-05 07:36:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-05 07:36:29 +0000

    net-vpn/openvpn: add 2.6.8
    
    Fixes a critical crash in 2.6.7.
    
    Bug: https://bugs.gentoo.org/917272
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/openvpn/Manifest             |   1 +
 net-vpn/openvpn/openvpn-2.6.8.ebuild | 199 +++++++++++++++++++++++++++++++++++
 net-vpn/openvpn/openvpn-9999.ebuild  |  14 ++-
 3 files changed, 209 insertions(+), 5 deletions(-)

Comment 5 Larry the Git Cow gentoo-dev

2024-09-22 06:35:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fe4473d49e5050fff69ba9135163bb00b7c70710

commit fe4473d49e5050fff69ba9135163bb00b7c70710
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:34:37 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:35:01 +0000

    [ GLSA 202409-08 ] OpenVPN: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/835514
    Bug: https://bugs.gentoo.org/917272
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-08.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)