Ubuntu
openvpn-auth-ldap package

openvpn-auth-ldap causing segfault on network timeout

Bug #1602813 reported by Foxpass Dev
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn-auth-ldap (Debian)
Fix Released
Unknown
openvpn-auth-ldap (Ubuntu)
Fix Released
Medium
Andreas Hasenack
Trusty
Fix Released
Medium
Andreas Hasenack
Xenial
Fix Released
Medium
Andreas Hasenack
Yakkety
Won't Fix
Medium
Andreas Hasenack
Zesty
Fix Released
Medium
Andreas Hasenack

Bug Description

[Impact]
There is a timeout bug in the openvpn-auth-ldap package that causes
OpenVPN to crash when the network timeout is exceeded.

The openvpn-auth-ldap plugin is not correctly checking the error codes from ldap_result. As a result, it is not catching timeouts, and proceeds as if ldap_result was successful. This results in a segfault when access to the result (which is set to Null) is attempted.

Network timeouts are somewhat common and services should be resilient to it. Having a service as a whole crash because of such an occurrence is not acceptable.

This upload fixes the problem by simply including the timeout error case in an existing check. It was clearly just an oversight in that one call, as the remainder of the code does handle timeout errors. It was just never reached.

[Test Case]
To reproduce the problem in an openvpn server:
* install openvpn and openvpn-auth-ldap:
$ sudo apt install openvpn openvpn-auth-ldap

* expand the attached openvpn-test-server.tar.gz tarball inside /etc:
$ sudo tar -C /etc -xzf openvpn-test-server.tar.gz

* start nc on port 389:
$ sudo nc -l -p 389

* In another terminal, start the openvpn server:
$ cd /etc/openvpn
$ sudo openvpn --config server.conf

Next you will need an openvpn client, also configured with the SSL certs
as usual, plus "auth-user-pass". This client can be the same for all server tests, if you are testing multiple Ubuntu releases, since what crashes is the server. It also doesn't have to be the fixed package from proposed.

* Install openvpn:
$ sudo apt install openvpn

* Expand the client tarball in /etc:
$ sudo tar -C /etc -xzf openvpn-test-client.tar.gz

* Edit /etc/openvpn/client.conf and change the "remote <hostname>" line to point to your openvpn server's hostname

* Start the client:
$ cd /etc/openvpn
$ sudo openvpn --config client.conf

* It will prompt you for username and password. The values you provide are irrelevant:
(...)
Enter Auth Username: asd
Enter Auth Password: ***

The vulnerable server will crash:
root@trusty-openvpn-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Tue Jun 20 13:56:55 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Tue Jun 20 13:56:55 2017 TUN/TAP device tun0 opened
Tue Jun 20 13:56:55 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Tue Jun 20 13:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 20 13:56:55 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 20 13:56:55 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Jun 20 13:56:55 2017 UDPv4 link local (bound): [undef]
Tue Jun 20 13:56:55 2017 UDPv4 link remote: [undef]
Tue Jun 20 13:56:55 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.
Aborted (core dumped)

The fixed version will just complain about a timeout error and remain running:
(...)
LDAP bind failed: Timed out
Unable to bind as uid=john,ou=People,dc=lxd
LDAP connect failed.
Tue Jun 20 15:55:51 2017 10.0.100.162:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Tue Jun 20 15:55:51 2017 10.0.100.162:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Jun 20 15:55:51 2017 10.0.100.162:1194 [client] Peer Connection Initiated with [AF_INET]10.0.100.162:1194

[Regression Potential]
The patch is very focused. I believe the biggest regression potential lies in the fact that this package hasn't been rebuilt very often. This new build will be done with the surrounding system libraries having changed a lot since the last time this package was built.

[Other Info]
There are two places in the code which mishandled the return code of ldap_result(). They are essentially identical, but the test case I provided only covers one of them. I believe that to be good enough, as the other code path will require setting up an LDAP server with a populated directory.

See original description
Revision history for this message
Foxpass Dev (foxpass-dev) wrote :
information type: Private → Public
Revision history for this message
Foxpass Dev (foxpass-dev) wrote :

We have created this PPA to host a version of the package with the above patch added:

https://launchpad.net/~foxpass/+archive/ubuntu/openvpn-auth-ldap

Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 __assert_fail_base (fmt=0x7f3cd7f203b8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7f3cd796d9bd "res != ((void *)0)", file=file@entry=0x7f3cd796e100 "sasl.c", line=line@entry=257, function=function@entry=0x7f3cd796e3e0 <__PRETTY_FUNCTION__.9756> "ldap_parse_sasl_bind_result") at assert.c:92
 __GI___assert_fail (assertion=assertion@entry=0x7f3cd796d9bd "res != ((void *)0)", file=file@entry=0x7f3cd796e100 "sasl.c", line=line@entry=257, function=function@entry=0x7f3cd796e3e0 <__PRETTY_FUNCTION__.9756> "ldap_parse_sasl_bind_result") at assert.c:101
 ldap_parse_sasl_bind_result (ld=0x7f3cda7498a0, res=0x0, servercredp=0x7ffd3d566748, freeit=0) at sasl.c:257
 ?? () from /tmp/apport_sandbox_fRkkdw/usr/lib/openvpn/openvpn-auth-ldap.so
 connect_ldap () from /tmp/apport_sandbox_fRkkdw/usr/lib/openvpn/openvpn-auth-ldap.so

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in openvpn (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
thank you for the report and identifying the associated patch.
I added the patch tag and triaged the bug accordingly.

tags: added: patch
Changed in openvpn-auth-ldap (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Here a little triaging summary:
The project itself seems rather abandoned, at least not with a high update frequency.
I checked the patch a bit in Detail and found two related upstream commits:

of 2012 to fix the first
https://github.com/threerings/openvpn-auth-ldap/commit/2d1568c384eee51e907d93eec7f4dc263de602d2

and of 2015 to fix the second occurance of the issue
https://github.com/threerings/openvpn-auth-ldap/pull/53/commits/182544cd7cfadf8e6918ce56d75a5c7735f126c2

The second is only a pull request and not yet merged into https://github.com/threerings/openvpn-auth-ldap/blame/master/src/TRLDAPConnection.m

That way following the usual procedure we can't start on an Xenial SRU right away but have to bring it into the Development release first. See #1 in https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

IMHO, since this package has no Ubuntu delta so far and seems rather un-maintained (or at least un-updated) it might be worth pushing this fix to Debian first. Then sync into Yakkety, and then go for an SRU.
On the good side, the patch is small and reasonable. I'd leave it to Robie Basak who already was on the mail thread starting this to decide how to proceed.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Foxpass Dev - for the coming activity it would be really helpful if you could write up a minimal setup&test procedure how to get from a new install to an environment showing the bug.
That would help testing and verification to get this bug fixed in the packaging (for Debian as well as for Ubuntu).

tags: added: bitesize server-next
Christian Ehrhardt  (paelzer)
tags: removed: server-next
Andreas Hasenack (ahasenack)
Changed in openvpn-auth-ldap (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
Andreas Hasenack (ahasenack)
no longer affects: openvpn (Ubuntu)
Bug Watch Updater (bug-watch-updater)
Changed in openvpn-auth-ldap (Debian):
status: Unknown → New
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Removing the debian bug task, the linked bug is similar but it requires an additional fix on top the one provided here.

no longer affects: openvpn-auth-ldap (Debian)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

debdiff for artful

Bug Watch Updater (bug-watch-updater)
Changed in openvpn-auth-ldap (Debian):
status: Unknown → New
Mathew Hodson (mhodson)
Changed in openvpn-auth-ldap (Ubuntu):
importance: High → Medium
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Reviewed and discussed - changes are good.
Andreas will add the steps to reproduce he already added to the Debian bug.

I'll test on my own and then likely sponsor the upload if nothing breaks on that.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Andreas - did the docu on ldap_result change in newer releases?
That is from Xenial:

"ERRORS
       ldap_result() returns -1 if something bad happens, and zero if the timeout specified was
       exceeded."

Or is the misleading bit here that the code is using not libldap's ldap_result but a different one?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The code was just checking for a -1 return value, which means "something bad", and missed the timeout case. Since we missed the timeout return value, the followupcheck for the LDAP_TIMEOUT err was never reached:

- if (ldap_result(ldapConn, msgid, 1, &timeout, &res) == -1) {
+ if (ldap_result(ldapConn, msgid, 1, &timeout, &res) <= 0) {
   err = ldap_get_errno(ldapConn);
   if (err == LDAP_TIMEOUT)

The function's "result" *parameter* can't be used in any case:

       int ldap_result( LDAP *ld, int msgid, int all,
            struct timeval *timeout, LDAPMessage **result );

"Upon success, the type of the result received is returned and the result parameter will contain the result of the operation; otherwise, the result parameter is undefined."

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn-auth-ldap - 2.0.3-6.1ubuntu1

---------------
openvpn-auth-ldap (2.0.3-6.1ubuntu1) artful; urgency=medium

  * Add patch from Aaron Peschel (~foxpass-dev) to fix a network timeout
    crash. (LP: #1602813)

 -- Andreas Hasenack <email address hidden> Thu, 20 Apr 2017 13:39:42 +0000

Changed in openvpn-auth-ldap (Ubuntu):
status: In Progress → Fix Released
Andreas Hasenack (ahasenack)
Changed in openvpn-auth-ldap (Ubuntu Trusty):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in openvpn-auth-ldap (Ubuntu Xenial):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in openvpn-auth-ldap (Ubuntu Yakkety):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in openvpn-auth-ldap (Ubuntu Zesty):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in openvpn-auth-ldap (Ubuntu Trusty):
status: New → In Progress
Changed in openvpn-auth-ldap (Ubuntu Xenial):
status: New → In Progress
Changed in openvpn-auth-ldap (Ubuntu Yakkety):
status: New → In Progress
Changed in openvpn-auth-ldap (Ubuntu Zesty):
status: New → In Progress
Changed in openvpn-auth-ldap (Ubuntu Trusty):
importance: Undecided → Medium
Changed in openvpn-auth-ldap (Ubuntu Xenial):
importance: Undecided → Medium
Changed in openvpn-auth-ldap (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in openvpn-auth-ldap (Ubuntu Zesty):
importance: Undecided → Medium
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Configuration files for the server test case. To be expanded inside /etc. Contents:
drwxr-xr-x root/root 0 2017-06-20 11:10 openvpn/
-rw-r--r-- root/root 1797 2017-04-19 18:03 openvpn/ca.crt
-rw------- root/root 1704 2017-04-19 18:03 openvpn/server.key
-rwxr-xr-x root/root 1301 2017-02-10 16:16 openvpn/update-resolv-conf
drwxr-xr-x root/root 0 2017-04-24 09:41 openvpn/server/
-rw-r--r-- root/root 5701 2017-04-19 18:03 openvpn/server.crt
drwxr-xr-x root/root 0 2017-02-10 16:16 openvpn/client/
-rw-r--r-- root/root 284 2017-06-20 11:10 openvpn/server.conf
-rw------- root/root 636 2017-04-19 17:11 openvpn/static.key
-rw-r--r-- root/root 156 2017-06-20 10:56 openvpn/ldap.conf
-rw-r--r-- root/root 424 2017-04-19 18:05 openvpn/dh2048.pem

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Configuration files for the client openvpn server. To be expanded inside /etc.

Contents:
drwxr-xr-x root/root 0 2017-06-20 11:29 openvpn/
-rw------- root/root 1708 2017-04-19 18:07 openvpn/client.key
-rw-r--r-- root/root 1797 2017-04-19 18:07 openvpn/ca.crt
drwxr-xr-x root/root 0 2017-04-20 09:24 openvpn/client/
-rw-r--r-- root/root 5584 2017-04-19 18:07 openvpn/client.crt
drwxr-xr-x root/root 0 2017-02-10 16:16 openvpn/server/
-rw-r--r-- root/root 636 2017-04-19 17:11 openvpn/static.key
-rw-r--r-- root/root 244 2017-06-20 11:15 openvpn/client.conf
-rwxr-xr-x root/root 1301 2017-02-10 16:16 openvpn/update-resolv-conf

description: updated
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Nish Aravamudan (nacc) wrote :

Sponsored all 4 uploads.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Foxpass, or anyone else affected,

Accepted openvpn-auth-ldap into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn-auth-ldap/2.0.3-6.1ubuntu0.17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openvpn-auth-ldap (Ubuntu Yakkety):
status: In Progress → Won't Fix
Changed in openvpn-auth-ldap (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Changed in openvpn-auth-ldap (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Foxpass, or anyone else affected,

Accepted openvpn-auth-ldap into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn-auth-ldap/2.0.3-6.1ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openvpn-auth-ldap (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed-trusty
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Foxpass, or anyone else affected,

Accepted openvpn-auth-ldap into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn-auth-ldap/2.0.3-5.1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.5 KiB)

Confirmed the crash on zesty with openvpn-auth-ldap 2.0.3-6.1:

ubuntu@zesty-openvpn-server-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Mon Jul 24 15:05:38 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Mon Jul 24 15:05:38 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Mon Jul 24 15:05:38 2017 TUN/TAP device tun0 opened
Mon Jul 24 15:05:38 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Mon Jul 24 15:05:38 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jul 24 15:05:38 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Jul 24 15:05:38 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Jul 24 15:05:38 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Jul 24 15:05:38 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Jul 24 15:05:38 2017 UDPv4 link remote: [AF_UNSPEC]
Mon Jul 24 15:05:38 2017 Initialization Sequence Completed
Mon Jul 24 15:10:38 2017 10.0.100.42:1194 peer info: IV_VER=2.3.10
Mon Jul 24 15:10:38 2017 10.0.100.42:1194 peer info: IV_PLAT=linux
Mon Jul 24 15:10:38 2017 10.0.100.42:1194 peer info: IV_PROTO=2
openvpn: sasl.c:273: ldap_parse_sasl_bind_result: Assertion `res != NULL' failed.
Aborted (core dumped)

Crash avoided with openvpn-auth-ldap-2.0.3-6.1ubuntu0.17.04.1 from proposed. I get a timeout as expected:
(...)
The following packages will be upgraded:
  openvpn-auth-ldap
1 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
Need to get 36.4 kB of archives.
After this operation, 30.7 kB disk space will be freed.
Get:1 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 openvpn-auth-ldap amd64 2.0.3-6.1ubuntu0.17.04.1 [36.4 kB]
Fetched 36.4 kB in 0s (469 kB/s)
(Reading database ... 26983 files and directories currently installed.)
Preparing to unpack .../openvpn-auth-ldap_2.0.3-6.1ubuntu0.17.04.1_amd64.deb ...
Unpacking openvpn-auth-ldap (2.0.3-6.1ubuntu0.17.04.1) over (2.0.3-6.1) ...
Setting up openvpn-auth-ldap (2.0.3-6.1ubuntu0.17.04.1) ...

ubuntu@zesty-openvpn-server-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Mon Jul 24 15:13:08 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Mon Jul 24 15:13:08 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Mon Jul 24 15:13:08 2017 TUN/TAP device tun0 opened
Mon Jul 24 15:13:08 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Mon Jul 24 15:13:08 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jul 24 15:13:08 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Jul 24 15:13:08 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Jul 24 15:13:08 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Jul 24 15:13:08 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Jul 24 15:13:08 2017 UDPv4 link remote: [AF_UNSPEC]
Mon Jul 24 15:13:08 2017 Initialization Sequence Completed
Mon Jul 24 15:13:14 2017 10.0.100.42:1194 peer info: IV_VER=2.3.10
Mon Jul 24 15:13:14 2017 10.0.100.42:1194 peer info: IV_PLAT=linux
Mon Jul 24 15:13:14 2017 10...

Read more...

tags: added: verification-done-zesty
removed: verification-needed-zesty
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.2 KiB)

Confirmed the crash on xenial:
ubuntu@xenial-openvpn-server-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Mon Jul 24 16:49:50 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Mon Jul 24 16:49:50 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Mon Jul 24 16:49:50 2017 TUN/TAP device tun0 opened
Mon Jul 24 16:49:50 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Mon Jul 24 16:49:50 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jul 24 16:49:50 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Jul 24 16:49:50 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Jul 24 16:49:50 2017 UDPv4 link local (bound): [undef]
Mon Jul 24 16:49:50 2017 UDPv4 link remote: [undef]
Mon Jul 24 16:49:50 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != NULL' failed.
Aborted (core dumped)

$ dpkg-query -W openvpn-auth-ldap
openvpn-auth-ldap 2.0.3-6.1

Upgrading to -proposed:
$ sudo apt install openvpn-auth-ldap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  openvpn-auth-ldap
1 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
Need to get 36.8 kB of archives.
After this operation, 25.6 kB disk space will be freed.
Get:1 http://br.archive.ubuntu.com/ubuntu xenial-proposed/universe amd64 openvpn-auth-ldap amd64 2.0.3-6.1ubuntu0.16.04.1 [36.8 kB]
Fetched 36.8 kB in 0s (465 kB/s)
(Reading database ... 25809 files and directories currently installed.)
Preparing to unpack .../openvpn-auth-ldap_2.0.3-6.1ubuntu0.16.04.1_amd64.deb ...
Unpacking openvpn-auth-ldap (2.0.3-6.1ubuntu0.16.04.1) over (2.0.3-6.1) ...
Setting up openvpn-auth-ldap (2.0.3-6.1ubuntu0.16.04.1) ...

Running test again, this time we get just a timeout:
$ sudo openvpn --config server.conf
Mon Jul 24 16:51:28 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Mon Jul 24 16:51:28 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Mon Jul 24 16:51:28 2017 TUN/TAP device tun0 opened
Mon Jul 24 16:51:28 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Mon Jul 24 16:51:28 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jul 24 16:51:28 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Jul 24 16:51:28 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Jul 24 16:51:28 2017 UDPv4 link local (bound): [undef]
Mon Jul 24 16:51:28 2017 UDPv4 link remote: [undef]
Mon Jul 24 16:51:28 2017 Initialization Sequence Completed
LDAP bind failed: Timed out
Unable to bind as uid=john,ou=People,dc=lxd
LDAP connect failed.
Mon Jul 24 16:51:40 2017 10.0.100.42:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Mon Jul 24 16:51:40 2017 10.0.100.42:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Jul 24 16:51:40 2017 10.0.100.42:1194 [client] Peer Connection Initiated with [AF_INET]10.0.100...

Read more...

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.3 KiB)

Crash reproduced on trusty:
ubuntu@trusty-openvpn-server-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Mon Jul 24 17:03:30 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
Mon Jul 24 17:03:30 2017 TUN/TAP device tun0 opened
Mon Jul 24 17:03:30 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Mon Jul 24 17:03:30 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jul 24 17:03:30 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Jul 24 17:03:30 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Jul 24 17:03:30 2017 UDPv4 link local (bound): [undef]
Mon Jul 24 17:03:30 2017 UDPv4 link remote: [undef]
Mon Jul 24 17:03:30 2017 Initialization Sequence Completed
openvpn: sasl.c:257: ldap_parse_sasl_bind_result: Assertion `res != ((void *)0)' failed.

ubuntu@trusty-openvpn-server-1602813:/etc/openvpn$ dpkg-query -W openvpn-auth-ldap
openvpn-auth-ldap 2.0.3-5.1

After upgrading to the package in proposed, we just get the expected nice timeout error:
ubuntu@trusty-openvpn-server-1602813:/etc/openvpn$ sudo apt install openvpn-auth-ldap -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfreetype6 os-prober
Use 'apt-get autoremove' to remove them.
The following packages will be upgraded:
  openvpn-auth-ldap
1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 37.2 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/universe openvpn-auth-ldap amd64 2.0.3-5.1ubuntu0.1 [37.2 kB]
Fetched 37.2 kB in 0s (1,601 kB/s)
(Reading database ... 25224 files and directories currently installed.)
Preparing to unpack .../openvpn-auth-ldap_2.0.3-5.1ubuntu0.1_amd64.deb ...
Unpacking openvpn-auth-ldap (2.0.3-5.1ubuntu0.1) over (2.0.3-5.1) ...
Setting up openvpn-auth-ldap (2.0.3-5.1ubuntu0.1) ...

ubuntu@trusty-openvpn-server-1602813:/etc/openvpn$ sudo openvpn --config server.conf
Mon Jul 24 17:05:19 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
Mon Jul 24 17:05:19 2017 TUN/TAP device tun0 opened
Mon Jul 24 17:05:19 2017 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Mon Jul 24 17:05:19 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jul 24 17:05:19 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Jul 24 17:05:19 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Jul 24 17:05:19 2017 UDPv4 link local (bound): [undef]
Mon Jul 24 17:05:19 2017 UDPv4 link remote: [undef]
Mon Jul 24 17:05:19 2017 Initialization Sequence Completed
LDAP bind failed: Timed out
Unable to bind as uid=john,ou=People,dc=lxd
LDAP connect failed.
Mon Jul 24 17:05:25 2017 10.0.100.42:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Mon Jul 24 17:05:25 2017 10.0.100.42:1194 TLS Auth Error: Auth Username/Passwor...

Read more...

tags: added: verification-done-trusty
removed: verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn-auth-ldap - 2.0.3-5.1ubuntu0.1

---------------
openvpn-auth-ldap (2.0.3-5.1ubuntu0.1) trusty; urgency=medium

  * debian/patches/openvpn_ldap_timeout_fix-lp1602813.patch: Properly
    check ldap_result() return code. Thanks to Aaron Peschel
    <email address hidden>. Closes LP: #1602813.

 -- Andreas Hasenack <email address hidden> Wed, 05 Jul 2017 16:35:52 -0300

Changed in openvpn-auth-ldap (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for openvpn-auth-ldap has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn-auth-ldap - 2.0.3-6.1ubuntu0.17.04.1

---------------
openvpn-auth-ldap (2.0.3-6.1ubuntu0.17.04.1) zesty; urgency=medium

  * debian/patches/openvpn_ldap_timeout_fix-lp1602813.patch: Properly
    check ldap_result() return code. Thanks to Aaron Peschel
    <email address hidden>. Closes LP: #1602813.

 -- Andreas Hasenack <email address hidden> Wed, 05 Jul 2017 16:26:16 -0300

Changed in openvpn-auth-ldap (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn-auth-ldap - 2.0.3-6.1ubuntu0.16.04.1

---------------
openvpn-auth-ldap (2.0.3-6.1ubuntu0.16.04.1) xenial; urgency=medium

  * debian/patches/openvpn_ldap_timeout_fix-lp1602813.patch: Properly
    check ldap_result() return code. Thanks to Aaron Peschel
    <email address hidden>. Closes LP: #1602813.

 -- Andreas Hasenack <email address hidden> Wed, 05 Jul 2017 16:28:32 -0300

Changed in openvpn-auth-ldap (Ubuntu Xenial):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in openvpn-auth-ldap (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.