From 0b1b91273f373c369f49adbcf9b597f6a319ec21 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Tue, 19 May 2026 13:19:01 +0800 Subject: [PATCH] fix(openvpn): CVE-2025-13086 - Fix inverted memcmp check for HMAC verification in 3-way handshake - Add deepin changelog entry with correct version suffix - Resolve patch conflicts via quilt refresh Co-authored-by: hudeng --- debian/changelog | 7 +++++ debian/patches/CVE-2025-13086.patch | 45 +++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 53 insertions(+) create mode 100644 debian/patches/CVE-2025-13086.patch diff --git a/debian/changelog b/debian/changelog index b02ee63..225145f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openvpn (2.6.14-3deepin1) unstable; urgency=medium + + * CVE-2025-13086: Fix inverted memcmp check for HMAC verification in the + 3-way handshake, which allowed source IP address validation bypass. + + -- deepin-ci-robot Sat, 17 May 2026 02:45:00 +0800 + openvpn (2.6.14-2) unstable; urgency=medium * Cherry-pick upstream fix to build with Kernel 6.16+ (Closes: #1114249) diff --git a/debian/patches/CVE-2025-13086.patch b/debian/patches/CVE-2025-13086.patch new file mode 100644 index 0000000..dd1e15a --- /dev/null +++ b/debian/patches/CVE-2025-13086.patch @@ -0,0 +1,45 @@ +From: Arne Schwabe +Date: Mon, 27 Oct 2025 10:05:55 +0100 +Subject: Fix memcmp check for the hmac verification in the 3way handshake + being inverted + +This is a stupid mistake but causes all hmac cookies to be accepted, +thus breaking source IP address validation. As a consequence, TLS +sessions can be opened and state can be consumed in the server from +IP addresses that did not initiate an initial connection. + +While at it, fix check to only allow [t-2;t] timeslots, disallowing +HMACs coming in from a future timeslot. + +CVE-2025-13086 + +Upstream: https://github.com/OpenVPN/openvpn/commit/fa6a1824b0f37bff137204156a74ca28cf5b6f83 + +Signed-off-by: Arne Schwabe +Acked-by: Max Fillinger +--- + src/openvpn/ssl_pkt.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +Index: openvpn-fix2/src/openvpn/ssl_pkt.c +=================================================================== +--- openvpn-fix2.orig/src/openvpn/ssl_pkt.c ++++ openvpn-fix2/src/openvpn/ssl_pkt.c +@@ -545,13 +545,14 @@ check_session_id_hmac(struct tls_pre_dec + return false; + } + +- /* check adjacent timestamps too */ +- for (int offset = -2; offset <= 1; offset++) ++ /* check adjacent timestamps too, the handwindow is split in 2 for the ++ * offset, so we check the current timeslot and the two before that */ ++ for (int offset = -2; offset <= 0; offset++) + { + struct session_id expected_id = + calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, offset); + +- if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE)) ++ if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE) == 0) + { + return true; + } diff --git a/debian/patches/series b/debian/patches/series index d5ac487..a8b978d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ auth-pam_libpam_so_filename.patch #debian_nogroup_for_sample_files.patch openvpn-pkcs11warn.patch avoid-redefining-ovpn-enums.patch +CVE-2025-13086.patch