FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

openvpn -- 2.6.0...2.6.6 --fragment option division by zero crash, and TLS data leak

Affected packages
2.6.0 <= openvpn < 2.6.7_1
openvpn-devel < g20231109,1

Details

VuXML ID 2fe004f5-83fd-11ee-9f5d-31909fb2f495
Discovery 2023-08-29
Entry 2023-11-15
Modified 2023-12-31

The OpenVPN community project team reports:

CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore "--fragment" configuration in some circumstances, leading to a division by zero when "--fragment" is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.
Reported by Niccolo Belli and WIPocket (Github #400, #417).

CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)

[source]

References

CVE Name CVE-2023-46849
CVE Name CVE-2023-46850
URL https://github.com/OpenVPN/openvpn/blob/v2.6.7/Changes.rst#overview-of-changes-in-267

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.