Opened 5 years ago

Closed 5 years ago

#419 closed Bug / Defect (fixed)

Vulnerability in bundled LZO compression code

Reported by: hanno Owned by: Samuli Seppänen
Priority: major Milestone: release 2.3.6
Component: Generic / unclassified Version: OpenVPN 2.3.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

It has been reported that the compression code for the LZO algorithm has an integer overflow:
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
Amongst many other software projects OpenVPN bundles the LZO code, so it is probably affected.

Change History (6)

comment:1 Changed 5 years ago by hanno

CVE for the original LZO code is CVE-2014-4607.

comment:2 Changed 5 years ago by Gert Döring

Owner: set to Samuli Seppänen
Status: newassigned
Version: 2.2.22.3.4

We do not bundle LZO but use what the operating system / package management provides (except for Windows, where we indeed provide binaries with compiled in LZO).

We have discussed this vulnerability and came to the conclusion that OpenVPN is not affected, as exploitation requires decompression of 16 mbyte of zero data. OpenVPN decompresses each packet individually, not carrying over state to the next packet, so this is just plain impossible to achieve for UDP (max 64 kbyte including fragmentation), and for TCP, OpenVPN enforces a maximum "openvpn packet lenght" depending on MTU etc., so also well below 16mb.

... it might still be reasonable to re-spin the windows packages with lzo 2.07 to avoid repetitions of this question :-)

comment:3 Changed 5 years ago by Samuli Seppänen

The later LZO version require some patches to compile using openvpn-build. Afaik pekster has those patches, so I definitely need to bite the bullet at some point and respin the installers.

comment:4 Changed 5 years ago by Samuli Seppänen

Milestone: release 2.3.6

comment:5 Changed 5 years ago by Samuli Seppänen

lzo-2.0.8 actually builds using openvpn-build, so it lzo will get updated in next Windows installer release.

comment:6 Changed 5 years ago by Gert Döring

Resolution: fixed
Status: assignedclosed

Tried the 2.3.6-I001-x86_64 installer, and "openvpn --version" says "LZO 2.08".

Same thing for the 2.3.6-I601-i686 installer.

So I think we can close this ticket for good \o/

Note: See TracTickets for help on using tickets.