update to version 2.6.8

2024-01-08 16:00:43 +08:00 · 2024-01-08 16:00:43 +08:00 · b99246ef55
commit b99246ef55
parent 7031027913
5 changed files with 6 additions and 176 deletions
--- a/backport-CVE-2023-46849.patch
+++ b/backport-CVE-2023-46849.patch
@ -1,116 +0,0 @@
-From 1cfca659244e362f372d9843351257f456392a2f Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne@rfc2549.org>
-Date: Thu, 19 Oct 2023 15:14:33 +0200
-Subject: [PATCH] Remove saving initial frame code
-
-This code was necessary before the frame/buffer refactoring as we
-always did relative adjustment to the frame.
-
-This also fixes also that previously initial_frame was initialised too
-early before the fragment related options were initialised and contained
-0 for the maximum frame size. This resulted in a DIV by 0 that caused an
-abort on platforms that throw an exception for that.
-
-CVE: 2023-46849
-
-Only people with --fragment in their config are affected
-
-Change-Id: Icc612bab5700879606290639e1b8773f61ec670d
-Signed-off-by: Arne Schwabe <arne@rfc2549.org>
-Acked-by: David Sommerseth <davids@openvpn.net>
-Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
-Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
-URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
- src/openvpn/forward.c |  9 ---------
- src/openvpn/init.c    | 19 ++++++++-----------
- src/openvpn/openvpn.h |  3 ---
- 3 files changed, 8 insertions(+), 23 deletions(-)
-
-diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
-index 2510410f..0443ca0a 100644
--- a/src/openvpn/forward.c
-+++ b/src/openvpn/forward.c
-@@ -1078,15 +1078,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo
-             if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
-                                 floated, &ad_start))
-             {
-                /* Restore pre-NCP frame parameters */
-                if (is_hard_reset_method2(opcode))
-                {
-                    c->c2.frame = c->c2.frame_initial;
-#ifdef ENABLE_FRAGMENT
-                    c->c2.frame_fragment = c->c2.frame_fragment_initial;
-#endif
-                }
-
-                 interval_action(&c->c2.tmp_int);
- 
-                 /* reset packet received timer if TLS packet */
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index 6fb6900d..079c4f5e 100644
--- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -3547,15 +3547,6 @@ do_init_frame(struct context *c)
-      */
-     frame_finalize_options(c, NULL);
- 
-#ifdef ENABLE_FRAGMENT
-    /*
-     * Set frame parameter for fragment code.  This is necessary because
-     * the fragmentation code deals with payloads which have already been
-     * passed through the compression code.
-     */
-    c->c2.frame_fragment = c->c2.frame;
-    c->c2.frame_fragment_initial = c->c2.frame_fragment;
-#endif
- 
- #if defined(ENABLE_FRAGMENT)
-     /*
-@@ -3751,6 +3742,14 @@ static void
- do_init_fragment(struct context *c)
- {
-     ASSERT(c->options.ce.fragment);
-+
-+    /*
-+     * Set frame parameter for fragment code.  This is necessary because
-+     * the fragmentation code deals with payloads which have already been
-+     * passed through the compression code.
-+     */
-+    c->c2.frame_fragment = c->c2.frame;
-+
-     frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
-                             &c->options, get_link_socket_info(c));
-     fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
-@@ -4658,8 +4657,6 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f
-         c->c2.did_open_tun = do_open_tun(c, &error_flags);
-     }
- 
-    c->c2.frame_initial = c->c2.frame;
-
-     /* print MTU info */
-     do_print_data_channel_mtu_parms(c);
- 
-diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
-index 077effeb..5b2be63f 100644
--- a/src/openvpn/openvpn.h
-+++ b/src/openvpn/openvpn.h
-@@ -249,14 +249,11 @@ struct context_2
- 
-     /* MTU frame parameters */
-     struct frame frame;                         /* Active frame parameters */
-    struct frame frame_initial;                 /* Restored on new session */
- 
- #ifdef ENABLE_FRAGMENT
-     /* Object to handle advanced MTU negotiation and datagram fragmentation */
-     struct fragment_master *fragment;
-     struct frame frame_fragment;
-    struct frame frame_fragment_initial;
-    struct frame frame_fragment_omit;
- #endif
- 
-     /*
-- 
-2.42.0.windows.2
-
--- a/backport-CVE-2023-46850.patch
+++ b/backport-CVE-2023-46850.patch
@ -1,55 +0,0 @@
-From 57a5cd1e12f193927c9b7429f8778fec7e04c50a Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne@rfc2549.org>
-Date: Fri, 27 Oct 2023 14:19:37 +0200
-Subject: [PATCH] Fix using to_link buffer after freed
-
-When I refactored the tls_state_change method in
-9a7b95fda5 I accidentally changed a break into
-a return true while it should return a false.
-
-The code here is extremely fragile in the sense
-that it assumes that settings a keystate to S_ERROR
-cannot have any outgoing buffer or we will have a
-use after free.  The previous break and now restored
-return false ensure this by skipping any further
-tls_process_state loops that might set to ks->S_ERROR
-and ensure that the to_link is sent out and cleared
-before having more loops in tls_state_change.
-
-CVE: 2023-46850
-
-This affects everyone, even with tls-auth/tls-crypt enabled.
-
-Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8
-Signed-off-by: Arne Schwabe <arne@rfc2549.org>
-Acked-by: David Sommerseth <davids@openvpn.net>
-Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
-Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
-URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
- src/openvpn/ssl.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
-index 022dc79f..9e0ad020 100644
--- a/src/openvpn/ssl.c
-+++ b/src/openvpn/ssl.c
-@@ -2906,7 +2906,13 @@ tls_process_state(struct tls_multi *multi,
-                            CONTROL_SEND_ACK_MAX, true);
-         *to_link = b;
-         dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
-        return true;
-+
-+        /* This changed the state of the outgoing buffer. In order to avoid
-+         * running this function again/further and invalidating the key_state
-+         * buffer and accessing the buffer that is now in to_link after it being
-+         * freed for a potential error, we shortcircuit exiting of the outer
-+         * process here. */
-+        return false;
-     }
- 
-     /* Write incoming ciphertext to TLS object */
-- 
-2.42.0.windows.2
-
--- a/openvpn-2.6.2.tar.gz
+++ b/openvpn-2.6.2.tar.gz
--- a/openvpn-2.6.8.tar.gz
+++ b/openvpn-2.6.8.tar.gz
--- a/openvpn.spec
+++ b/openvpn.spec
@ -1,13 +1,11 @@
 Name: openvpn
-Version: 2.6.2
-Release: 2
+Version: 2.6.8
+Release: 1
 Summary: A full-featured open source SSL VPN solution
 License: GPL-2.0-or-later and OpenSSL and SSLeay
-URL: https://community.openvpn.net/openvpn
+URL:     https://community.openvpn.net/openvpn
 Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
 Patch0:  openvpn-2.4-change-tmpfiles-permissions.patch
-Patch1:  backport-CVE-2023-46849.patch
-Patch2:  backport-CVE-2023-46850.patch
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
 BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
 BuildRequires: libselinux-devel
@ -126,6 +124,9 @@ fi
 %{_mandir}/man5/openvpn-examples.5.gz

 %changelog
+* Mon Jan 08 2024 Ge Wang <wang__ge@126.com> - 2.6.8-1
+- Update to version 2.6.8
+
 * Wed Nov 22 2023 liningjie <liningjie@xfusion.com> - 2.6.2-2
 - Fix CVE-2023-46849 CVE-2023-46850