Opened 10 years ago
Closed 10 years ago
#419 closed Bug / Defect (fixed)
Vulnerability in bundled LZO compression code
Reported by: | hanno | Owned by: | Samuli Seppänen |
---|---|---|---|
Priority: | major | Milestone: | release 2.3.6 |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
It has been reported that the compression code for the LZO algorithm has an integer overflow:
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
Amongst many other software projects OpenVPN bundles the LZO code, so it is probably affected.
Change History (6)
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
Owner: | set to Samuli Seppänen |
---|---|
Status: | new → assigned |
Version: | 2.2.2 → 2.3.4 |
We do not bundle LZO but use what the operating system / package management provides (except for Windows, where we indeed provide binaries with compiled in LZO).
We have discussed this vulnerability and came to the conclusion that OpenVPN is not affected, as exploitation requires decompression of 16 mbyte of zero data. OpenVPN decompresses each packet individually, not carrying over state to the next packet, so this is just plain impossible to achieve for UDP (max 64 kbyte including fragmentation), and for TCP, OpenVPN enforces a maximum "openvpn packet lenght" depending on MTU etc., so also well below 16mb.
... it might still be reasonable to re-spin the windows packages with lzo 2.07 to avoid repetitions of this question :-)
comment:3 Changed 10 years ago by
The later LZO version require some patches to compile using openvpn-build. Afaik pekster has those patches, so I definitely need to bite the bullet at some point and respin the installers.
comment:4 Changed 10 years ago by
Milestone: | → release 2.3.6 |
---|
comment:5 Changed 10 years ago by
lzo-2.0.8 actually builds using openvpn-build, so it lzo will get updated in next Windows installer release.
comment:6 Changed 10 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Tried the 2.3.6-I001-x86_64 installer, and "openvpn --version" says "LZO 2.08".
Same thing for the 2.3.6-I601-i686 installer.
So I think we can close this ticket for good \o/
CVE for the original LZO code is CVE-2014-4607.