Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
openvpn.35854
0004-Prevent-two-kinds-of-stack-buffer-OOB-read...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0004-Prevent-two-kinds-of-stack-buffer-OOB-reads-and-a-cr.patch of Package openvpn.35854
From f38a4a105979b87ebebe9be1c3d323116d3fb924 Mon Sep 17 00:00:00 2001 From: Guido Vranken <guidovranken@gmail.com> Date: Fri, 19 May 2017 14:04:25 +0200 Subject: [PATCH 4/5] Prevent two kinds of stack buffer OOB reads and a crash for invalid input data Pre-authentication remote crash/information disclosure for clients If clients use a HTTP proxy with NTLM authentication (i.e. "--http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2"), a man-in-the-middle attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory. The disclosed stack memory is likely to contain the proxy password. If the proxy password is not reused, this is unlikely to compromise the security of the OpenVPN tunnel itself. Clients who do not use the --http-proxy option with ntlm2 authentication are not affected. CVE: 2017-7520 Signed-off-by: Guido Vranken <guidovranken@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com> URL: https://www.mail-archive.com/search?l=mid&q=CAO5O-EJvHKid-zTj+hmFG_3Gv78ixqCayE9=C62DZaxN32WNtQ@mail.gmail.com Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 7718c8984f04b507c1885f363970e2124e3c6c77) --- src/openvpn/ntlm.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index ac66a2fa..d859bbbb 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -196,7 +196,7 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar */ char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */ - char buf2[128]; /* decoded reply from proxy */ + unsigned char buf2[128]; /* decoded reply from proxy */ unsigned char phase3[464]; char md4_hash[MD4_DIGEST_LENGTH+5]; @@ -285,7 +285,13 @@ ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_ar tib_len = buf2[0x28];/* Get Target Information block size */ if (tib_len > 96) tib_len = 96; { - char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ + char *tib_ptr; + int tib_pos = buf2[0x2c]; + if (tib_pos + tib_len > sizeof(buf2)) + { + return NULL; + } + tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */ memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ } } else { -- 2.13.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor