[oe] [meta-networking][PATCH][Dizzy] openvpn: fix CVE-2014-8104

[Armin Kuster]

This addresses a security fix for openvpn CVE-2014-8104

Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 .../openvpn/openvpn/CVE-2014-8104.patch            | 54 ++++++++++++++++++++++
 .../recipes-support/openvpn/openvpn_2.3.4.bb       |  4 +-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-support/openvpn/openvpn/CVE-2014-8104.patch

diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2014-8104.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2014-8104.patch
new file mode 100644
index 0000000..a032b87
--- /dev/null
+++ b/meta-networking/recipes-support/openvpn/openvpn/CVE-2014-8104.patch
@@ -0,0 +1,54 @@
+openvpn: CVE-2014-8014
+
+From 97597e732bda083e9aefc7a9f1b05056bf6ffd55 Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan.karger at fox-it.com>
+Date: Thu, 20 Nov 2014 13:43:05 +0100
+Subject: [PATCH] Drop too-short control channel packets instead of asserting
+ out.
+
+This fixes a denial-of-service vulnerability where an authenticated client
+could stop the server by triggering a server-side ASSERT().
+
+OpenVPN would previously ASSERT() that control channel packets have a
+payload of at least 4 bytes. An authenticated client could trigger this
+assert by sending a too-short control channel packet to the server.
+
+Thanks to Dragana Damjanovic for reporting the issue.
+
+This bug has been assigned CVE-2014-8104.
+
+Signed-off-by: Steffan Karger <steffan.karger at fox-it.com>
+Acked-by: Gert Doering <gert at greenie.muc.de>
+Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7 at FOXDFT02.FOX.local>
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+(cherry picked from commit c5590a6821e37f3b29735f55eb0c2b9c0924138c)
+
+Upstream-Status: Backport
+
+Armin Kuster <akuster at mvista.com>
+
+
+---
+ src/openvpn/ssl.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
+index 2373582..daffbf3 100644
+--- a/src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -2035,7 +2035,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
+   ASSERT (session->opt->key_method == 2);
+ 
+   /* discard leading uint32 */
+-  ASSERT (buf_advance (buf, 4));
++  if (!buf_advance (buf, 4)) {
++    msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
++	buf->len);
++    goto error;
++  }
+ 
+   /* get key method */
+   key_method_flags = buf_read_u8 (buf);
+-- 
+1.9.1
+
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.3.4.bb b/meta-networking/recipes-support/openvpn/openvpn_2.3.4.bb
index 1fb722a..d91fb45 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.3.4.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.3.4.bb
@@ -8,7 +8,9 @@ DEPENDS = "lzo openssl iproute2 ${@base_contains('DISTRO_FEATURES', 'pam', 'libp
 inherit autotools
 
 SRC_URI = "http://swupdate.openvpn.org/community/releases/openvpn-${PV}.tar.gz \
-           file://openvpn"
+           file://openvpn \
+           file://CVE-2014-8104.patch \
+           "
 
 SRC_URI[md5sum] = "04d47237907faabe9d046970ffe44b2e"
 SRC_URI[sha256sum] = "af506d5f48568fa8d2f2435cb3fad35f9a9a8f263999ea6df3ba296960cec85a"
-- 
1.9.1