Hi, On Sat, Apr 14, 2018 at 09:26:17AM +0200, Gert Doering wrote: > Malformed input data on the service pipe towards the OpenVPN interactive > service (normally used by the OpenVPN GUI to request openvpn instances > from the service) can result in a double free() in the error handling code. [..]
Due to the sensitive nature of the patch, it was held under embargo rules
- that is "only sent to the security@ list, privately ACKed, commits not
announced to the public list right away".
I do have an ACK for this from Selva, and have my usually "it went it
with commit ID..." mail, but for whatever reason I cannot re-send my own
mail to the -devel list, and I think SPF is stopping me from bouncing
Selva's mail... which is a bit of an annoyance.
So I just forward the e-mails below, PGP sign all this (and the commits
are PGP-signed as well), and leave verification of "is the commit the
same as in the repo? is it what Selva ACKed?" to the interested reader.
-------------------------------------------------
From: Selva Nair <selva.n...@gmail.com>
Date: Sat, 14 Apr 2018 12:44:57 -0400
Message-ID: <cakuzo_h-gusttjifuev2tivfakhfdqtndseg9kivru5ftws...@mail.gmail.com>
Subject: Re: [PATCH v2] Fix potential double-free() in Interactive Service
(CVE-2018-9336)
To: Gert Doering <g...@greenie.muc.de>
Cc: secur...@openvpn.net, jbai...@tenable.com
On Sat, Apr 14, 2018 at 3:26 AM, Gert Doering <g...@greenie.muc.de> wrote:
> Malformed input data on the service pipe towards the OpenVPN interactive
> service (normally used by the OpenVPN GUI to request openvpn instances
> from the service) can result in a double free() in the error handling code.
>
> This usually only leads to a process crash (DoS by an unprivileged local
> account) but since it could possibly lead to memory corruption if
> happening while multiple other threads are active at the same time,
> CVE-2018-9336 has been assigned to acknowledge this risk.
>
> Fix by ensuring that sud->directory is set to NULL in GetStartUpData()
> for all error cases (thus not being free()ed in FreeStartupData()).
>
> Rewrite control flow to use explicit error label for error exit.
>
> Discovered and reported by Jacob Baines <jbai...@tenable.com>.
>
> CVE: 2018-9336
>
> Signed-off-by: Gert Doering <g...@greenie.muc.de>
>
> --
> v2: reword commit message, no code changes
Just for completeness: all good so ACK again.
Selva
-------------------------------------------------
Date: Thu, 19 Apr 2018 17:24:49 +0200 (CEST)
Message-Id: <201804191524.w3jfongd007...@chekov.greenie.muc.de>
From: Gert Doering <g...@greenie.muc.de>
To: Gert Doering <g...@greenie.muc.de>
Cc: openvpn-devel@lists.sourceforge.net
Subject: [PATCH applied] Re: Fix potential double-free() in Interactive Service
(CVE-2018-9336)
Your patch has been applied to the master and release/2.4 branch.
commit 1394192b210cb3c6624a7419bcf3ff966742e79b (master)
commit da242af8d3750a231bfd687d0a92cf2004dae988 (release/2.4)
Author: Gert Doering
Date: Sat Apr 14 09:26:17 2018 +0200
Fix potential double-free() in Interactive Service (CVE-2018-9336)
Signed-off-by: Gert Doering <g...@greenie.muc.de>
Acked-by: Selva Nair <selva.n...@gmail.com>
Message-Id: <20180414072617.25075-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/search?l=mid&q=20180414072617.25075-1-g...@greenie.muc.de
Signed-off-by: Gert Doering <g...@greenie.muc.de>
--
kind regards,
Gert Doering
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
