packages/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

spec

Browse Source
This commit is contained in:
xigaoxinyan 2022-04-13 18:16:26 +08:00
parent 5348a6bf0b
commit 922c5425e1
6 changed files with 37 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
CVE-2020-11810.patch
View File

@ -1,65 +0,0 @@
From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
From: Lev Stipakov <lev@openvpn.net>
Date: Wed, 15 Apr 2020 10:30:17 +0300
Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
There is a time frame between allocating peer-id and initializing data
channel key (which is performed on receiving push request or on async
push-reply) in which the existing peer-id float checks do not work right.
If a "rogue" data channel packet arrives during that time frame from
another address and with same peer-id, this would cause client to float
to that new address. This is because:
- tls_pre_decrypt() sets packet length to zero if
data channel key has not been initialized, which leads to
- openvpn_decrypt() returns true if packet length is zero,
which leads to
- process_incoming_link_part1() returns true, which
calls multi_process_float(), which commits float
Note that problem doesn't happen when data channel key is initialized,
since in this case openvpn_decrypt() returns false.
The net effect of this behaviour is that the VPN session for the
"victim client" is broken. Since the "attacker client" does not have
suitable keys, it can not inject or steal VPN traffic from the other
session. The time window is small and it can not be used to attack
a specific client's session, unless some other way is found to make it
disconnect and reconnect first.
CVE-2020-11810 has been assigned to acknowledge this risk.
Fix illegal float by adding buffer length check ("is this packet still
considered valid") before calling multi_process_float().
Trac: #1272
CVE: 2020-11810
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/multi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index b42bcec97..056e3dc76 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
orig_buf = c->c2.buf.data;
if (process_incoming_link_part1(c, lsi, floated))
{
- if (floated)
+ /* nonzero length means that we have a valid, decrypted packed */
+ if (floated && c->c2.buf.len > 0)
{
multi_process_float(m, m->pending);
}

39
CVE-2020-15078.patch
View File

@ -1,39 +0,0 @@
From 6b03967183591d8a7e619caaf529f7581619326b Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Tue, 6 Apr 2021 00:05:21 +0200
Subject: [PATCH] Ensure key state is authenticated before sending push reply
This ensures that the key state is authenticated when sendinga push reply.
---
src/openvpn/push.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index dd5bd41..fcdd76b 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -647,6 +647,7 @@ int
process_incoming_push_request(struct context *c)
{
int ret = PUSH_MSG_ERROR;
+ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
#ifdef ENABLE_ASYNC_PUSH
c->c2.push_request_received = true;
@@ -657,7 +658,12 @@ process_incoming_push_request(struct context *c)
send_auth_failed(c, client_reason);
ret = PUSH_MSG_AUTH_FAILURE;
}
- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
+ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
+ && ks->authenticated
+ #ifdef ENABLE_DEF_AUTH
+ && !ks->auth_deferred
+ #endif
+ )
{
time_t now;
--
2.23.0

69
CVE-2022-0547.patch
View File

@ -1,57 +1,48 @@
From 58ec3bb4aac77131118dbbc39a65181e7847adee Mon Sep 17 00:00:00 2001
From af3e382649d96ae77cc5e42be8270f355e5cfec5 Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@openvpn.net>
Date: Tue, 15 Mar 2022 16:53:43 +0100
Date: Sun, 13 Mar 2022 20:31:53 +0100
Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this discovered with an error in the log.
This is a backport of commit 282ddbac54f8d4923844f699 (master), taking
the different man-page format into account. The code change is the same.
out when this is discovered with an error in the log.
CVE: 2022-0547
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/search?l=mid&q=20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
---
doc/openvpn.8 | 13 +++++++++++++
src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++---
2 files changed, 43 insertions(+), 3 deletions(-)
doc/man-sections/plugin-options.rst | 9 ++++++++
src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++---
2 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 598d5fce5..7f773b695 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or
client\-connect), then
every module and script must return success (0) in order for
the connection to be authenticated.
diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst
index 51c574fe6..9266429ea 100644
--- a/doc/man-sections/plugin-options.rst
+++ b/doc/man-sections/plugin-options.rst
@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
(such as tls-verify, auth-user-pass-verify, or client-connect), then
every module and script must return success (:code:`0`) in order for the
connection to be authenticated.
+
+.INDENT 7.0
+.TP
+.B \fBWARNING\fP:
+Plug\-ins may do deferred execution, meaning the plug\-in will
+return the control back to the main OpenVPN process and provide
+the plug\-in result later on via a different thread or process.
+OpenVPN does \fBNOT\fP support multiple authentication plug\-ins
+\fBwhere more than one plugin\fP tries to do deferred authentication.
+If this behaviour is detected, OpenVPN will shut down upon first
+authentication.
+.UNINDENT
+.UNINDENT
.\"*********************************************************
.TP
.B \-\-keying\-material\-exporter label len
+ **WARNING**:
+ Plug-ins may do deferred execution, meaning the plug-in will
+ return the control back to the main OpenVPN process and provide
+ the plug-in result later on via a different thread or process.
+ OpenVPN does **NOT** support multiple authentication plug-ins
+ **where more than one plugin** tries to do deferred authentication.
+ If this behaviour is detected, OpenVPN will shut down upon first
+ authentication.
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 0ab99ab5c..5ba1c2470 100644
index e8f8830d0..ed5d7c067 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl,
@@ -806,7 +806,7 @@ plugin_call_ssl(const struct plugin_list *pl,
const int n = plugin_n(pl);
bool success = false;
bool error = false;
@ -60,7 +51,7 @@ index 0ab99ab5c..5ba1c2470 100644
setenv_del(es, "script_type");
envp = make_env_array(es, false, &gc);
@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl,
@@ -829,7 +829,34 @@ plugin_call_ssl(const struct plugin_list *pl,
break;
case OPENVPN_PLUGIN_FUNC_DEFERRED:
@ -96,7 +87,7 @@ index 0ab99ab5c..5ba1c2470 100644
break;
default:
@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl,
@@ -853,7 +880,7 @@ plugin_call_ssl(const struct plugin_list *pl,
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}

BIN
openvpn-2.4.8.tar.gz
View File

Binary file not shown.

BIN
openvpn-2.5.5.tar.gz Normal file
View File

Binary file not shown.

12
openvpn.spec
View File

@ -1,12 +1,10 @@
Name: openvpn
Version: 2.4.8
Release: 7
Version: 2.5.5
Release: 1
Summary: A full-featured open source SSL VPN solution
License: GPLv2 and OpenSSL and SSLeay
License: GPL-2.0-or-later and OpenSSL and SSLeay
URL: https://community.openvpn.net/openvpn
Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
Patch0000: CVE-2020-11810.patch
Patch0001: CVE-2020-15078.patch
# https://github.com/OpenVPN/openvpn/commit/58ec3bb
Patch0002: CVE-2022-0547.patch
BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
@ -123,8 +121,12 @@ fi
%files help
%{_pkgdocdir}
%{_mandir}/man8/%{name}.8*
%{_mandir}/man5/openvpn-examples.5.gz
%changelog
* Wed Apr 13 2022 xigaoxinyan <xigaoxinyan@h-partners.com> - 2.5.5-1
- Update to 2.5.5
* Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.4.8-7
- Fix CVE-2022-0547