packages/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!33 Update to 2.5.8

Browse Source 
From: @starlet-dx 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-02-02 10:38:50 +00:00 committed by Gitee
commit b798d053c3
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 18 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
CVE-2022-0547.patch
View File

@ -1,98 +0,0 @@
From af3e382649d96ae77cc5e42be8270f355e5cfec5 Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@openvpn.net>
Date: Sun, 13 Mar 2022 20:31:53 +0100
Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this is discovered with an error in the log.
CVE: 2022-0547
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
---
doc/man-sections/plugin-options.rst | 9 ++++++++
src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++---
2 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst
index 51c574fe6..9266429ea 100644
--- a/doc/man-sections/plugin-options.rst
+++ b/doc/man-sections/plugin-options.rst
@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
(such as tls-verify, auth-user-pass-verify, or client-connect), then
every module and script must return success (:code:`0`) in order for the
connection to be authenticated.
+
+ **WARNING**:
+ Plug-ins may do deferred execution, meaning the plug-in will
+ return the control back to the main OpenVPN process and provide
+ the plug-in result later on via a different thread or process.
+ OpenVPN does **NOT** support multiple authentication plug-ins
+ **where more than one plugin** tries to do deferred authentication.
+ If this behaviour is detected, OpenVPN will shut down upon first
+ authentication.
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index e8f8830d0..ed5d7c067 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -806,7 +806,7 @@ plugin_call_ssl(const struct plugin_list *pl,
const int n = plugin_n(pl);
bool success = false;
bool error = false;
- bool deferred = false;
+ bool deferred_auth_done = false;
setenv_del(es, "script_type");
envp = make_env_array(es, false, &gc);
@@ -829,7 +829,34 @@ plugin_call_ssl(const struct plugin_list *pl,
break;
case OPENVPN_PLUGIN_FUNC_DEFERRED:
- deferred = true;
+ if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ && deferred_auth_done)
+ {
+ /*
+ * Do not allow deferred auth if a deferred auth has
+ * already been started. This should allow a single
+ * deferred auth call to happen, with one or more
+ * auth calls with an instant authentication result.
+ *
+ * The plug-in API is not designed for multiple
+ * deferred authentications to happen, as the
+ * auth_control_file file will be shared across all
+ * the plug-ins.
+ *
+ * Since this is considered a critical configuration
+ * error, we bail out and exit the OpenVPN process.
+ */
+ error = true;
+ msg(M_FATAL,
+ "Exiting due to multiple authentication plug-ins "
+ "performing deferred authentication. Only one "
+ "authentication plug-in doing deferred auth is "
+ "allowed. Ignoring the result and stopping now, "
+ "the current authentication result is not to be "
+ "trusted.");
+ break;
+ }
+ deferred_auth_done = true;
break;
default:
@@ -853,7 +880,7 @@ plugin_call_ssl(const struct plugin_list *pl,
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
- else if (deferred)
+ else if (deferred_auth_done)
{
return OPENVPN_PLUGIN_FUNC_DEFERRED;
}

9
openvpn-2.4-change-tmpfiles-permissions.patch Normal file
View File

@ -0,0 +1,9 @@
diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf
index bb79671e..9258f5c6 100644
--- a/distro/systemd/tmpfiles-openvpn.conf
+++ b/distro/systemd/tmpfiles-openvpn.conf
@@ -1,2 +1,2 @@
-d /run/openvpn-client 0710 root root -
-d /run/openvpn-server 0710 root root -
+d /run/openvpn-client 0750 root openvpn -
+d /run/openvpn-server 0750 root openvpn -

BIN
openvpn-2.5.5.tar.gz
View File

Binary file not shown.

BIN
openvpn-2.5.8.tar.xz Normal file
View File

Binary file not shown.

15
openvpn.spec
View File

@ -1,14 +1,14 @@
Name: openvpn
Version: 2.5.5
Release: 2
Version: 2.5.8
Release: 1
Summary: A full-featured open source SSL VPN solution
License: GPL-2.0-or-later and OpenSSL and SSLeay
URL: https://community.openvpn.net/openvpn
Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
# https://github.com/OpenVPN/openvpn/commit/af3e382
Patch0: CVE-2022-0547.patch
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
Patch0: openvpn-2.4-change-tmpfiles-permissions.patch
BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
BuildRequires: libselinux-devel
Requires: iproute
Requires(pre): /usr/sbin/useradd
@ -123,6 +123,9 @@ fi
%{_mandir}/man5/openvpn-examples.5.gz
%changelog
* Thu Feb 02 2023 yaoxin <yaoxin30@h-partners.com> - 2.5.8-1
- Update to 2.5.8
* Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.5.5-2
- Fix CVE-2022-0547
@ -138,7 +141,7 @@ fi
* Thu Feb 04 2021 wangyue <wangyue92@huawei.com> 2.4.8-4
- fix CVE-2020-11810
* Tue Mar 16 2020 daiqianwen <daiqianwen@huawei.com> 2.4.8-3
* Mon Mar 16 2020 daiqianwen <daiqianwen@huawei.com> 2.4.8-3
- modify systemd post preun postun
* Mon Nov 11 2019 guanyalong <guanyalong@huawei.com> 2.4.8-2