Fix CVE-2022-0547

(cherry picked from commit d6cd54ccfe91495f649d44ea1c4bde86c577c4af)
2022-03-30 11:10:17 +08:00 · 2022-03-30 11:10:17 +08:00 · cab05c910d
commit cab05c910d
parent e188357f25
2 changed files with 113 additions and 1 deletions
--- a/CVE-2022-0547.patch
+++ b/CVE-2022-0547.patch
@ -0,0 +1,107 @@
+From 58ec3bb4aac77131118dbbc39a65181e7847adee Mon Sep 17 00:00:00 2001
+From: David Sommerseth <davids@openvpn.net>
+Date: Tue, 15 Mar 2022 16:53:43 +0100
+Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
+
+The plug-in API in OpenVPN 2.x is not designed for running multiple
+deferred authentication processes in parallel. The authentication
+results of such configurations are not to be trusted.  For now we bail
+out when this discovered with an error in the log.
+
+This is a backport of commit 282ddbac54f8d4923844f699 (master), taking
+the different man-page format into account.  The code change is the same.
+
+CVE: 2022-0547
+Signed-off-by: David Sommerseth <davids@openvpn.net>
+
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net>
+URL: https://www.mail-archive.com/search?l=mid&q=20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ doc/openvpn.8        | 13 +++++++++++++
+ src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++---
+ 2 files changed, 43 insertions(+), 3 deletions(-)
+
+diff --git a/doc/openvpn.8 b/doc/openvpn.8
+index 598d5fce5..7f773b695 100644
+--- a/doc/openvpn.8
+++ b/doc/openvpn.8
+@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or
+ client\-connect), then
+ every module and script must return success (0) in order for
+ the connection to be authenticated.
+
+.INDENT 7.0
+.TP
+.B \fBWARNING\fP:
+Plug\-ins may do deferred execution, meaning the plug\-in will
+return the control back to the main OpenVPN process and provide
+the plug\-in result later on via a different thread or process.
+OpenVPN does \fBNOT\fP support multiple authentication plug\-ins
+\fBwhere more than one plugin\fP tries to do deferred authentication.
+If this behaviour is detected, OpenVPN will shut down upon first
+authentication.
+.UNINDENT
+.UNINDENT
+ .\"*********************************************************
+ .TP
+ .B \-\-keying\-material\-exporter label len
+diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
+index 0ab99ab5c..5ba1c2470 100644
+--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
+@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl,
+         const int n = plugin_n(pl);
+         bool success = false;
+         bool error = false;
+-        bool deferred = false;
+        bool deferred_auth_done = false;
+ 
+         setenv_del(es, "script_type");
+         envp = make_env_array(es, false, &gc);
+@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl,
+                     break;
+ 
+                 case OPENVPN_PLUGIN_FUNC_DEFERRED:
+-                    deferred = true;
+                    if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+                        && deferred_auth_done)
+                    {
+                        /*
+                         * Do not allow deferred auth if a deferred auth has
+                         * already been started.  This should allow a single
+                         * deferred auth call to happen, with one or more
+                         * auth calls with an instant authentication result.
+                         *
+                         * The plug-in API is not designed for multiple
+                         * deferred authentications to happen, as the
+                         * auth_control_file file will be shared across all
+                         * the plug-ins.
+                         *
+                         * Since this is considered a critical configuration
+                         * error, we bail out and exit the OpenVPN process.
+                         */
+                        error = true;
+                        msg(M_FATAL,
+                            "Exiting due to multiple authentication plug-ins "
+                            "performing deferred authentication.  Only one "
+                            "authentication plug-in doing deferred auth is "
+                            "allowed.  Ignoring the result and stopping now, "
+                            "the current authentication result is not to be "
+                            "trusted.");
+                        break;
+                    }
+                    deferred_auth_done = true;
+                     break;
+ 
+                 default:
+@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl,
+         {
+             return OPENVPN_PLUGIN_FUNC_ERROR;
+         }
+-        else if (deferred)
+        else if (deferred_auth_done)
+         {
+             return OPENVPN_PLUGIN_FUNC_DEFERRED;
+         }
--- a/openvpn.spec
+++ b/openvpn.spec
@ -1,12 +1,14 @@
 Name: openvpn
 Version: 2.4.8
-Release: 6
+Release: 7
 Summary: A full-featured open source SSL VPN solution
 License: GPLv2 and OpenSSL and SSLeay
 URL: https://community.openvpn.net/openvpn
 Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
 Patch0000:     CVE-2020-11810.patch
 Patch0001:     CVE-2020-15078.patch
+# https://github.com/OpenVPN/openvpn/commit/58ec3bb
+Patch0002:     CVE-2022-0547.patch
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
 BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11

@ -123,6 +125,9 @@ fi
 %{_mandir}/man8/%{name}.8*

 %changelog
+* Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.4.8-7
+- Fix CVE-2022-0547
+
 * Wed Jun 9 2021 zhaoyao <zhaoyao32@huawei.com> - 2.4.8-6
 - fix faileds: /bin/sh: gcc: command not found.