Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 917272 (CVE-2023-46849, CVE-2023-46850) - <net-vpn/openvpn-2.6.7: Multiple vulnerabilities
Summary: <net-vpn/openvpn-2.6.7: Multiple vulnerabilities
Alias: CVE-2023-46849, CVE-2023-46850
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa? cleanup]
Depends on: 909376 921375
  Show dependency tree
Reported: 2023-11-13 03:24 UTC by Sam James
Modified: 2024-01-24 09:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-11-13 03:24:21 UTC
From the 2.6.7 release notes:
CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github ​#400, ​#417)
CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash. (Github ​#400, ​#417).
Comment 1 Antonio Quartulli 2023-11-15 09:32:28 UTC
Unfortunately openvpn-2.6.7 comes with a bug that causes segfaults under some conditions and people have already reported crashes.

A mitigation patch can be found in the ticket above or on the official gerrit:

May I suggest to urgently include this patch and push out 2.6.7_p1 ?

Thanks a lot!
Comment 2 rpimonitrbtch 2023-11-19 23:24:54 UTC
Or, since 2.6.8 has been released to address the segfaults, just go with that instead.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-05 07:35:03 UTC
I'm sorry nobody spotted that. Looking now.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-05 07:36:59 UTC
The bug has been referenced in the following commit(s):

commit fa82e5ca6c5ccdee72b6c8373491b447f5a86807
Author:     Sam James <>
AuthorDate: 2024-01-05 07:36:29 +0000
Commit:     Sam James <>
CommitDate: 2024-01-05 07:36:29 +0000

    net-vpn/openvpn: add 2.6.8
    Fixes a critical crash in 2.6.7.
    Signed-off-by: Sam James <>

 net-vpn/openvpn/Manifest             |   1 +
 net-vpn/openvpn/openvpn-2.6.8.ebuild | 199 +++++++++++++++++++++++++++++++++++
 net-vpn/openvpn/openvpn-9999.ebuild  |  14 ++-
 3 files changed, 209 insertions(+), 5 deletions(-)