Bug#863351: marked as done (unblock: openvpn/2.4.0-6)

Debian Bug Tracking System Thu, 25 May 2017 13:51:32 -0700

Your message dated Thu, 25 May 2017 20:31:00 +0000
with message-id <5cdf5d0c-f50c-5d81-3fb2-aec320d3d...@thykier.net>
and subject line Re: Bug#863351: unblock: openvpn/2.4.0-6
has caused the Debian Bug report #863351,
regarding unblock: openvpn/2.4.0-6
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863351: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package openvpn

I've been contacted by a big Debian & OpenVPN user about a bug present
in Stretch's OpenVPN version and fixed 2 minor reviews later. The bug
was reported upstream [1] and results in clients not able to use the VPN
after several reconnects.

The patch seems nice and clear [2] (and applies cleanly). The bug
impact could be substantial.

The fixed package (2.4.0-6) has been tested by the forementioned user
(that could reproduce the bug in previous versions).

[1] https://community.openvpn.net/openvpn/ticket/879
[2]
https://community.openvpn.net/openvpn/changeset/03d01f4f69cfc6768343b9f0f2dde2049e4882d2/

unblock openvpn/2.4.0-6

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru openvpn-2.4.0/debian/changelog openvpn-2.4.0/debian/changelog
--- openvpn-2.4.0/debian/changelog      2017-05-11 14:15:21.000000000 +0200
+++ openvpn-2.4.0/debian/changelog      2017-05-22 14:59:49.000000000 +0200
@@ -1,3 +1,10 @@
+openvpn (2.4.0-6) unstable; urgency=medium
+
+  * Apply upstream patch to fix shrinking MTU sizes on reconnects causing not
+    usable VPN tunnels.
+
+ -- Alberto Gonzalez Iniesta <a...@inittab.org>  Mon, 22 May 2017 14:59:49 
+0200
+
 openvpn (2.4.0-5) unstable; urgency=high
 
   * Change typo fix in command line help.
diff -Nru openvpn-2.4.0/debian/patches/series 
openvpn-2.4.0/debian/patches/series
--- openvpn-2.4.0/debian/patches/series 2017-05-11 14:15:21.000000000 +0200
+++ openvpn-2.4.0/debian/patches/series 2017-05-22 14:57:31.000000000 +0200
@@ -7,3 +7,4 @@
 CVE-2017-7479-prereq.patch
 CVE-2017-7479.patch
 wipe_tokens_on_de-auth.patch
+upstream-issue-879.patch
diff -Nru openvpn-2.4.0/debian/patches/upstream-issue-879.patch 
openvpn-2.4.0/debian/patches/upstream-issue-879.patch
--- openvpn-2.4.0/debian/patches/upstream-issue-879.patch       1970-01-01 
01:00:00.000000000 +0100
+++ openvpn-2.4.0/debian/patches/upstream-issue-879.patch       2017-05-22 
14:59:14.000000000 +0200
@@ -0,0 +1,87 @@
+Index: openvpn/src/openvpn/forward.c
+===================================================================
+--- openvpn.orig/src/openvpn/forward.c 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/forward.c      2017-05-22 14:59:09.630937170 +0200
+@@ -866,9 +866,16 @@
+              * will load crypto_options with the correct encryption key
+              * and return false.
+              */
++            uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
+             if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
+                                 floated, &ad_start))
+             {
++                /* Restore pre-NCP frame parameters */
++                if (is_hard_reset(opcode, c->options.key_method))
++                {
++                    c->c2.frame = c->c2.frame_initial;
++                }
++
+                 interval_action(&c->c2.tmp_int);
+ 
+                 /* reset packet received timer if TLS packet */
+Index: openvpn/src/openvpn/init.c
+===================================================================
+--- openvpn.orig/src/openvpn/init.c    2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/init.c 2017-05-22 14:59:09.634938195 +0200
+@@ -4055,6 +4055,8 @@
+         c->c2.did_open_tun = do_open_tun(c);
+     }
+ 
++    c->c2.frame_initial = c->c2.frame;
++
+     /* print MTU info */
+     do_print_data_channel_mtu_parms(c);
+ 
+Index: openvpn/src/openvpn/openvpn.h
+===================================================================
+--- openvpn.orig/src/openvpn/openvpn.h 2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/openvpn.h      2017-05-22 14:59:09.634938195 +0200
+@@ -263,7 +263,8 @@
+     struct link_socket_actual from;             /* address of incoming 
datagram */
+ 
+     /* MTU frame parameters */
+-    struct frame frame;
++    struct frame frame;                         /* Active frame parameters */
++    struct frame frame_initial;                 /* Restored on new session */
+ 
+ #ifdef ENABLE_FRAGMENT
+     /* Object to handle advanced MTU negotiation and datagram fragmentation */
+Index: openvpn/src/openvpn/ssl.c
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.c     2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/ssl.c  2017-05-22 14:59:09.634938195 +0200
+@@ -830,14 +830,7 @@
+     return BSTR(&out);
+ }
+ 
+-/*
+- * Given a key_method, return true if op
+- * represents the required form of hard_reset.
+- *
+- * If key_method = 0, return true if any
+- * form of hard reset is used.
+- */
+-static bool
++bool
+ is_hard_reset(int op, int key_method)
+ {
+     if (!key_method || key_method == 1)
+Index: openvpn/src/openvpn/ssl.h
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.h     2017-05-22 14:59:09.634938195 +0200
++++ openvpn/src/openvpn/ssl.h  2017-05-22 14:59:09.634938195 +0200
+@@ -591,6 +591,14 @@
+ /*#define EXTRACT_X509_FIELD_TEST*/
+ void extract_x509_field_test(void);
+ 
++/**
++ * Given a key_method, return true if opcode represents the required form of
++ * hard_reset.
++ *
++ * If key_method == 0, return true if any form of hard reset is used.
++ */
++bool is_hard_reset(int op, int key_method);
++
+ #endif /* ENABLE_CRYPTO */
+ 
+ #endif /* ifndef OPENVPN_SSL_H */

--- End Message ---

--- Begin Message ---

Alberto Gonzalez Iniesta:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
> 
> Please unblock package openvpn
> 
> I've been contacted by a big Debian & OpenVPN user about a bug present
> in Stretch's OpenVPN version and fixed 2 minor reviews later. The bug
> was reported upstream [1] and results in clients not able to use the VPN
> after several reconnects.
> 
> The patch seems nice and clear [2] (and applies cleanly). The bug
> impact could be substantial.
> 
> The fixed package (2.4.0-6) has been tested by the forementioned user
> (that could reproduce the bug in previous versions).
> 
> [1] https://community.openvpn.net/openvpn/ticket/879
> [2]
> https://community.openvpn.net/openvpn/changeset/03d01f4f69cfc6768343b9f0f2dde2049e4882d2/
> 
> unblock openvpn/2.4.0-6
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---

Bug#863351: marked as done (unblock: openvpn/2.4.0-6)

Reply via email to