fix CVE-2020-11810

CVE-2020-11810.patch

@@ -0,0 +1,65 @@
+From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
+From: Lev Stipakov <lev@openvpn.net>
+Date: Wed, 15 Apr 2020 10:30:17 +0300
+Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
+
+There is a time frame between allocating peer-id and initializing data
+channel key (which is performed on receiving push request or on async
+push-reply) in which the existing peer-id float checks do not work right.
+
+If a "rogue" data channel packet arrives during that time frame from
+another address and  with same peer-id, this would cause client to float
+to that new address. This is because:
+
+ - tls_pre_decrypt() sets packet length to zero if
+   data channel key has not been initialized, which leads to
+
+ - openvpn_decrypt() returns true if packet length is zero,
+   which leads to
+
+ - process_incoming_link_part1() returns true, which
+   calls multi_process_float(), which commits float
+
+Note that problem doesn't happen when data channel key is initialized,
+since in this case openvpn_decrypt() returns false.
+
+The net effect of this behaviour is that the VPN session for the
+"victim client" is broken.  Since the "attacker client" does not have
+suitable keys, it can not inject or steal VPN traffic from the other
+session.  The time window is small and it can not be used to attack
+a specific client's session, unless some other way is found to make it
+disconnect and reconnect first.
+
+CVE-2020-11810 has been assigned to acknowledge this risk.
+
+Fix illegal float by adding buffer length check ("is this packet still
+considered valid") before calling multi_process_float().
+
+Trac: #1272
+CVE: 2020-11810
+
+Signed-off-by: Lev Stipakov <lev@openvpn.net>
+Acked-by: Arne Schwabe <arne@rfc2549.org>
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/multi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
+index b42bcec97..056e3dc76 100644
+--- a/src/openvpn/multi.c
++++ b/src/openvpn/multi.c
+@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
+             orig_buf = c->c2.buf.data;
+             if (process_incoming_link_part1(c, lsi, floated))
+             {
+-                if (floated)
++                /* nonzero length means that we have a valid, decrypted packed */
++                if (floated && c->c2.buf.len > 0)
+                 {
+                     multi_process_float(m, m->pending);
+                 }

openvpn.spec

@@ -1,10 +1,11 @@
 Name: openvpn
 Version: 2.4.8
-Release: 3
+Release: 4
 Summary: A full-featured open source SSL VPN solution
-License: GPLv2
+License: GPLv2 and OpenSSL and SSLeay
 URL: https://community.openvpn.net/openvpn
 Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
+Patch0000:     CVE-2020-11810.patch
 
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel
 BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
@@ -36,7 +37,7 @@ User guide and other related documents for %{name}.
 
 %prep
 %setup -q -n %{name}-%{version}
-
+%patch0000 -p1
 
 %build
 %configure --enable-x509-alt-username --enable-iproute2 --with-crypto-library=openssl --enable-pkcs11 --enable-selinux --enable-systemd SYSTEMD_UNIT_DIR=%{_unitdir} TMPFILES_DIR=%{_tmpfilesdir} IPROUTE=/sbin/ip
@@ -123,6 +124,9 @@ fi
 %{_mandir}/man8/%{name}.8*
 
 %changelog
+* Thu Feb 04 2021 wangyue <wangyue92@huawei.com> 2.4.8-4
+- fix CVE-2020-11810
+
 * Tue Mar 16 2020 daiqianwen <daiqianwen@huawei.com> 2.4.8-3
 - modify systemd post preun postun