2016-07-13 18:59:43 |
Foxpass Dev |
bug |
|
|
added bug |
2016-07-13 19:00:49 |
Foxpass Dev |
bug task added |
|
openvpn-auth-ldap (Ubuntu) |
|
2016-07-13 19:03:37 |
Foxpass Dev |
information type |
Private |
Public |
|
2016-07-13 19:10:15 |
Apport retracing service |
bug |
|
|
added subscriber Crash bug triagers for Ubuntu packages |
2016-07-13 19:10:18 |
Apport retracing service |
attachment added |
|
Stacktrace.txt https://bugs.launchpad.net/bugs/1602813/+attachment/4700351/+files/Stacktrace.txt |
|
2016-07-13 19:10:18 |
Apport retracing service |
attachment added |
|
StacktraceSource.txt https://bugs.launchpad.net/bugs/1602813/+attachment/4700352/+files/StacktraceSource.txt |
|
2016-07-13 19:10:20 |
Apport retracing service |
attachment added |
|
ThreadStacktrace.txt https://bugs.launchpad.net/bugs/1602813/+attachment/4700353/+files/ThreadStacktrace.txt |
|
2016-07-13 19:10:21 |
Apport retracing service |
attachment removed |
CoreDump.gz https://bugs.launchpad.net/bugs/1602813/+attachment/4700343/+files/CoreDump.gz |
|
|
2016-07-13 19:10:22 |
Apport retracing service |
openvpn (Ubuntu): importance |
Undecided |
Medium |
|
2016-07-13 19:10:25 |
Apport retracing service |
tags |
amd64 apport-crash ec2-images need-amd64-retrace trusty |
amd64 apport-crash ec2-images trusty |
|
2016-07-14 05:02:56 |
Christian Ehrhardt |
tags |
amd64 apport-crash ec2-images trusty |
amd64 apport-crash ec2-images patch trusty |
|
2016-07-14 05:07:25 |
Christian Ehrhardt |
openvpn-auth-ldap (Ubuntu): status |
New |
Triaged |
|
2016-07-14 05:07:31 |
Christian Ehrhardt |
openvpn-auth-ldap (Ubuntu): importance |
Undecided |
High |
|
2016-07-14 05:21:57 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server Team |
2016-07-14 05:25:34 |
Christian Ehrhardt |
tags |
amd64 apport-crash ec2-images patch trusty |
amd64 apport-crash bitesize ec2-images patch server-next trusty |
|
2017-03-28 16:14:12 |
Christian Ehrhardt |
tags |
amd64 apport-crash bitesize ec2-images patch server-next trusty |
amd64 apport-crash bitesize ec2-images patch trusty |
|
2017-04-19 19:29:30 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-04-19 19:29:35 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu): status |
Triaged |
In Progress |
|
2017-04-24 14:12:35 |
Andreas Hasenack |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680166 |
|
2017-04-24 14:12:35 |
Andreas Hasenack |
bug task added |
|
openvpn-auth-ldap (Debian) |
|
2017-04-24 14:14:37 |
Andreas Hasenack |
bug task deleted |
openvpn (Ubuntu) |
|
|
2017-04-24 15:07:28 |
Bug Watch Updater |
openvpn-auth-ldap (Debian): status |
Unknown |
New |
|
2017-04-24 17:08:33 |
Andreas Hasenack |
bug task deleted |
openvpn-auth-ldap (Debian) |
|
|
2017-04-24 17:56:48 |
Andreas Hasenack |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861107 |
|
2017-04-24 17:56:48 |
Andreas Hasenack |
bug task added |
|
openvpn-auth-ldap (Debian) |
|
2017-04-24 19:03:30 |
Andreas Hasenack |
attachment added |
|
lp1602813.debdiff https://bugs.launchpad.net/debian/+source/openvpn-auth-ldap/+bug/1602813/+attachment/4867421/+files/lp1602813.debdiff |
|
2017-04-24 19:13:09 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2017-04-24 21:56:56 |
Bug Watch Updater |
openvpn-auth-ldap (Debian): status |
Unknown |
New |
|
2017-05-07 21:20:45 |
Mathew Hodson |
bug watch removed |
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680166 |
|
|
2017-05-07 21:21:23 |
Mathew Hodson |
openvpn-auth-ldap (Ubuntu): importance |
High |
Medium |
|
2017-06-19 17:56:21 |
Launchpad Janitor |
openvpn-auth-ldap (Ubuntu): status |
In Progress |
Fix Released |
|
2017-06-20 13:31:02 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Trusty |
|
2017-06-20 13:31:02 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Xenial |
|
2017-06-20 13:31:02 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Zesty |
|
2017-06-20 13:31:02 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Yakkety |
|
2017-06-20 13:32:47 |
Robie Basak |
bug task added |
|
openvpn-auth-ldap (Ubuntu Trusty) |
|
2017-06-20 13:32:53 |
Robie Basak |
bug task added |
|
openvpn-auth-ldap (Ubuntu Xenial) |
|
2017-06-20 13:33:00 |
Robie Basak |
bug task added |
|
openvpn-auth-ldap (Ubuntu Yakkety) |
|
2017-06-20 13:33:09 |
Robie Basak |
bug task added |
|
openvpn-auth-ldap (Ubuntu Zesty) |
|
2017-06-20 13:40:18 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Trusty): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-06-20 13:40:20 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Xenial): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-06-20 13:40:21 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Yakkety): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-06-20 13:40:23 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Zesty): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-06-20 13:40:27 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Trusty): status |
New |
In Progress |
|
2017-06-20 13:40:30 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Xenial): status |
New |
In Progress |
|
2017-06-20 13:40:32 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Yakkety): status |
New |
In Progress |
|
2017-06-20 13:40:35 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Zesty): status |
New |
In Progress |
|
2017-06-20 13:40:38 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2017-06-20 13:40:40 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-06-20 13:40:42 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Yakkety): importance |
Undecided |
Medium |
|
2017-06-20 13:40:43 |
Andreas Hasenack |
openvpn-auth-ldap (Ubuntu Zesty): importance |
Undecided |
Medium |
|
2017-06-20 13:55:11 |
Andreas Hasenack |
description |
Description: Ubuntu 14.04.4 LTS
Release: 14.04
openvpn-auth-ldap=2.0.3-5.1
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
You can see this bug referenced here:
https://github.com/threerings/openvpn-auth-ldap/issues/11
And a fix mentioned here:
https://github.com/threerings/openvpn-auth-ldap/pull/53
The above patch is not compatible with the source provided with 14.04, so I have updated the patch to work with the 14.04 source. I have provided it below.
I would appreciate if a package with the fix could be released.
-Aaron Peschel
Index: openvpn-auth-ldap/src/LFLDAPConnection.m
===================================================================
--- openvpn-auth-ldap.orig/src/LFLDAPConnection.m 2016-07-12
23:24:14.710216000 +0000
+++ openvpn-auth-ldap/src/LFLDAPConnection.m 2016-07-12
23:24:48.394216000 +0000
@@ -175,7 +175,7 @@
/* Wait for the result */
timeout.tv_sec = _timeout;
timeout.tv_usec = 0;
- if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
+ if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) {
err = ldap_get_errno(ldapConn);
if (err == LDAP_TIMEOUT)
ldap_abandon_ext(ldapConn, msgid, NULL, NULL);
@@ -383,7 +383,7 @@
}
/* Wait for the result */
- if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
+ if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) {
err = ldap_get_errno(ldapConn);
if (err == LDAP_TIMEOUT)
ldap_abandon_ext(ldapConn, msgid, NULL, NULL);
ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: openvpn 2.3.2-7ubuntu3.1
ProcVersionSignature: Ubuntu 3.13.0-74.118-generic 3.13.11-ckt30
Uname: Linux 3.13.0-74-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
AssertionMessage: openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Date: Tue Jul 12 21:35:10 2016
Ec2AMI: ami-9abea4fb
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-west-2c
Ec2InstanceType: t2.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ExecutablePath: /usr/sbin/openvpn
ProcCmdline: /usr/sbin/openvpn --writepid /run/openvpn/foxpass.pid --daemon ovpn-foxpass --cd /etc/openvpn --config /etc/openvpn/foxpass.conf --script-security 2
ProcEnviron:
TERM=screen-256color
PATH=(custom, no user)
LANG=en_US.UTF-8
Signal: 6
SourcePackage: openvpn
StacktraceTop:
__assert_fail_base (fmt=0x7f3cd7f203b8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7f3cd796d9bd "res != ((void *)0)", file=file@entry=0x7f3cd796e100 "sasl.c", line=line@entry=257, function=function@entry=0x7f3cd796e3e0 "ldap_parse_sasl_bind_result") at assert.c:92
__GI___assert_fail (assertion=0x7f3cd796d9bd "res != ((void *)0)", file=0x7f3cd796e100 "sasl.c", line=257, function=0x7f3cd796e3e0 "ldap_parse_sasl_bind_result") at assert.c:101
ldap_parse_sasl_bind_result () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
?? () from /usr/lib/openvpn/openvpn-auth-ldap.so
connect_ldap () from /usr/lib/openvpn/openvpn-auth-ldap.so
Title: openvpn assert failure: openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
|
2017-06-20 14:09:02 |
Andreas Hasenack |
description |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem, configure an openvpn server as usual with
certificates and:
- add the plugin configuration line:
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
- in /etc/openvpn/ldap.conf:
<LDAP>
BindDN uid=john,ou=people,dc=example
Password something
URL ldap://localhost
Timeout 1
TLSEnable no
FollowReferrals yes
</LDAP>
# no need for an <Authorization> section
- start nc on port 389:
nc -l -p 389
- start the openvpn server
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass".
When you start this openvpn client, it will prompt you for username and
password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
|
2017-06-20 14:09:20 |
Andreas Hasenack |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2017-06-20 14:17:49 |
Andreas Hasenack |
attachment added |
|
openvpn-test-server.tar.gz https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+attachment/4899318/+files/openvpn-test-server.tar.gz |
|
2017-06-20 14:31:56 |
Andreas Hasenack |
description |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem, configure an openvpn server as usual with
certificates and:
- add the plugin configuration line:
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/ldap.conf
- in /etc/openvpn/ldap.conf:
<LDAP>
BindDN uid=john,ou=people,dc=example
Password something
URL ldap://localhost
Timeout 1
TLSEnable no
FollowReferrals yes
</LDAP>
# no need for an <Authorization> section
- start nc on port 389:
nc -l -p 389
- start the openvpn server
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass".
When you start this openvpn client, it will prompt you for username and
password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ nc -l -p 389
* In another terminal, start the openvpn server:
$ sudo openvpn --config /etc/openvpn/server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ sudo openvpn --config /etc/openvpn/client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
|
2017-06-20 14:32:57 |
Andreas Hasenack |
attachment added |
|
openvpn-test-client.tar.gz https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+attachment/4899319/+files/openvpn-test-client.tar.gz |
|
2017-06-20 14:36:43 |
Andreas Hasenack |
description |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ nc -l -p 389
* In another terminal, start the openvpn server:
$ sudo openvpn --config /etc/openvpn/server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ sudo openvpn --config /etc/openvpn/client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ nc -l -p 389
* In another terminal, start the openvpn server:
$ sudo openvpn --config /etc/openvpn/server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ sudo openvpn --config /etc/openvpn/client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
|
2017-06-20 14:40:25 |
Andreas Hasenack |
description |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ nc -l -p 389
* In another terminal, start the openvpn server:
$ sudo openvpn --config /etc/openvpn/server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ sudo openvpn --config /etc/openvpn/client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn# openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ nc -l -p 389
* In another terminal, start the openvpn server:
$ cd /etc/openvpn
$ sudo openvpn --config server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ cd /etc/openvpn
$ sudo openvpn --config client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
|
2017-06-20 14:41:37 |
Andreas Hasenack |
description |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ nc -l -p 389
* In another terminal, start the openvpn server:
$ cd /etc/openvpn
$ sudo openvpn --config server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ cd /etc/openvpn
$ sudo openvpn --config client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ sudo nc -l -p 389
* In another terminal, start the openvpn server:
$ cd /etc/openvpn
$ sudo openvpn --config server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ cd /etc/openvpn
$ sudo openvpn --config client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
|
2017-06-20 14:46:08 |
Andreas Hasenack |
description |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ sudo nc -l -p 389
* In another terminal, start the openvpn server:
$ cd /etc/openvpn
$ sudo openvpn --config server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ cd /etc/openvpn
$ sudo openvpn --config client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem in an openvpn server:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ sudo nc -l -p 389
* In another terminal, start the openvpn server:
$ cd /etc/openvpn
$ sudo openvpn --config server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ cd /etc/openvpn
$ sudo openvpn --config client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
|
2017-06-20 15:56:31 |
Andreas Hasenack |
description |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem in an openvpn server:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ sudo nc -l -p 389
* In another terminal, start the openvpn server:
$ cd /etc/openvpn
$ sudo openvpn --config server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ cd /etc/openvpn
$ sudo openvpn --config client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error.
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.
The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.
Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.
This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.
[Test Case]
To reproduce the problem in an openvpn server:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap
* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz
* start nc on port 389:
$ sudo nc -l -p 389
* In another terminal, start the openvpn server:
$ cd /etc/openvpn
$ sudo openvpn --config server.conf
Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.
* Install openvpn:
$ sudo apt install openvpn
* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz
* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname
* Start the client:
$ cd /etc/openvpn
$ sudo openvpn --config client.conf
* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***
The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)
The fixed version will just complain about a timeout error and remain running:
(...)
LDAP bind failed: Timed out
Unable to bind as uid=john,ou=People,dc=lxd
LDAP connect failed.
Tue Jun 20 15:55:51 2017 10.0.100.162:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Tue Jun 20 15:55:51 2017 10.0.100.162:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Jun 20 15:55:51 2017 10.0.100.162:1194 [client] Peer Connection Initiated with [AF_INET]10.0.100.162:1194
[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.
[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory. |
|
2017-06-20 21:24:23 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openvpn-auth-ldap/+git/openvpn-auth-ldap/+merge/326032 |
|
2017-06-20 21:24:51 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openvpn-auth-ldap/+git/openvpn-auth-ldap/+merge/326033 |
|
2017-06-20 21:25:10 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openvpn-auth-ldap/+git/openvpn-auth-ldap/+merge/326034 |
|
2017-06-20 21:25:24 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openvpn-auth-ldap/+git/openvpn-auth-ldap/+merge/326035 |
|
2017-06-20 21:26:52 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2017-07-05 20:26:26 |
Nish Aravamudan |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2017-07-06 19:06:11 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-07-13 17:52:55 |
Brian Murray |
openvpn-auth-ldap (Ubuntu Yakkety): status |
In Progress |
Won't Fix |
|
2017-07-13 17:53:49 |
Brian Murray |
openvpn-auth-ldap (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
2017-07-13 17:53:53 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2017-07-13 17:54:00 |
Brian Murray |
tags |
amd64 apport-crash bitesize ec2-images patch trusty |
amd64 apport-crash bitesize ec2-images patch trusty verification-needed verification-needed-zesty |
|
2017-07-13 17:55:26 |
Brian Murray |
openvpn-auth-ldap (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2017-07-13 17:55:33 |
Brian Murray |
tags |
amd64 apport-crash bitesize ec2-images patch trusty verification-needed verification-needed-zesty |
amd64 apport-crash bitesize ec2-images patch trusty verification-needed verification-needed-xenial verification-needed-zesty |
|
2017-07-13 17:57:09 |
Brian Murray |
openvpn-auth-ldap (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2017-07-13 17:57:17 |
Brian Murray |
tags |
amd64 apport-crash bitesize ec2-images patch trusty verification-needed verification-needed-xenial verification-needed-zesty |
amd64 apport-crash bitesize ec2-images patch trusty verification-needed verification-needed-trusty verification-needed-xenial verification-needed-zesty |
|
2017-07-24 15:15:11 |
Andreas Hasenack |
tags |
amd64 apport-crash bitesize ec2-images patch trusty verification-needed verification-needed-trusty verification-needed-xenial verification-needed-zesty |
amd64 apport-crash bitesize ec2-images patch trusty verification-done-zesty verification-needed verification-needed-trusty verification-needed-xenial |
|
2017-07-24 16:52:30 |
Andreas Hasenack |
tags |
amd64 apport-crash bitesize ec2-images patch trusty verification-done-zesty verification-needed verification-needed-trusty verification-needed-xenial |
amd64 apport-crash bitesize ec2-images patch trusty verification-done-xenial verification-done-zesty verification-needed verification-needed-trusty |
|
2017-07-24 17:06:36 |
Andreas Hasenack |
tags |
amd64 apport-crash bitesize ec2-images patch trusty verification-done-xenial verification-done-zesty verification-needed verification-needed-trusty |
amd64 apport-crash bitesize ec2-images patch trusty verification-done-trusty verification-done-xenial verification-done-zesty verification-needed |
|
2017-07-27 20:16:55 |
Launchpad Janitor |
openvpn-auth-ldap (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2017-07-27 20:16:59 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-07-27 20:17:47 |
Launchpad Janitor |
openvpn-auth-ldap (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-07-27 20:18:02 |
Launchpad Janitor |
openvpn-auth-ldap (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2019-09-09 14:21:31 |
Bug Watch Updater |
openvpn-auth-ldap (Debian): status |
New |
Fix Released |
|