mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-14 05:49:57 +00:00
openvpn: upgrade 2.6.10 -> 2.6.12
ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.12/Changes.rst Security fixes: CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client. Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> [Drop CVE-2024-28882 patch not yet in stable] Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Haixiao Yan
committed by
Armin Kuster
Armin Kuster
parent
60fc5f65e1
commit
3d234d9a12
@@ -1,144 +0,0 @@
|
||||
From 6b0859f669729f4fd328d80bc5c7b4dbbdbf0280 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk>
|
||||
Date: Thu, 16 May 2024 13:58:08 +0200
|
||||
Subject: [PATCH] Only schedule_exit() once
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If an exit has already been scheduled we should not schedule it again.
|
||||
Otherwise, the exit signal is never emitted if the peer reschedules the
|
||||
exit before the timeout occurs.
|
||||
|
||||
schedule_exit() now only takes the context as argument. The signal is
|
||||
hard coded to SIGTERM, and the interval is read directly from the
|
||||
context options.
|
||||
|
||||
Furthermore, schedule_exit() now returns a bool signifying whether an
|
||||
exit was scheduled; false if exit is already scheduled. The call sites
|
||||
are updated accordingly. A notable difference is that management is only
|
||||
notified *once* when an exit is scheduled - we no longer notify
|
||||
management on redundant exit.
|
||||
|
||||
This patch was assigned a CVE number after already reviewed and ACKed,
|
||||
because it was discovered that a misbehaving client can use the (now
|
||||
fixed) server behaviour to avoid being disconnected by means of a
|
||||
managment interface "client-kill" command - the security issue here is
|
||||
"client can circumvent security policy set by management interface".
|
||||
|
||||
This only affects previously authenticated clients, and only management
|
||||
client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
|
||||
affected.
|
||||
|
||||
CVE: 2024-28882
|
||||
|
||||
Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
|
||||
Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
|
||||
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
|
||||
Message-Id: <20240516120434.23499-1-gert@greenie.muc.de>
|
||||
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html
|
||||
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||||
|
||||
CVE: CVE-2024-28882
|
||||
Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/55bb3260c12bae33b6a8eac73cbb6972f8517411]
|
||||
|
||||
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
|
||||
---
|
||||
src/openvpn/forward.c | 15 +++++++++++----
|
||||
src/openvpn/forward.h | 2 +-
|
||||
src/openvpn/push.c | 12 +++++++-----
|
||||
3 files changed, 19 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
|
||||
index e9811b9c81de..29e812ffd17d 100644
|
||||
--- a/src/openvpn/forward.c
|
||||
+++ b/src/openvpn/forward.c
|
||||
@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context *c)
|
||||
}
|
||||
|
||||
/*
|
||||
- * Schedule a signal n_seconds from now.
|
||||
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
|
||||
*/
|
||||
-void
|
||||
-schedule_exit(struct context *c, const int n_seconds, const int signal)
|
||||
+bool
|
||||
+schedule_exit(struct context *c)
|
||||
{
|
||||
+ const int n_seconds = c->options.scheduled_exit_interval;
|
||||
+ /* don't reschedule if already scheduled. */
|
||||
+ if (event_timeout_defined(&c->c2.scheduled_exit))
|
||||
+ {
|
||||
+ return false;
|
||||
+ }
|
||||
tls_set_single_session(c->c2.tls_multi);
|
||||
update_time();
|
||||
reset_coarse_timers(c);
|
||||
event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
|
||||
- c->c2.scheduled_exit_signal = signal;
|
||||
+ c->c2.scheduled_exit_signal = SIGTERM;
|
||||
msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
|
||||
+ return true;
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
|
||||
index 060fc374ca60..245a80292112 100644
|
||||
--- a/src/openvpn/forward.h
|
||||
+++ b/src/openvpn/forward.h
|
||||
@@ -302,7 +302,7 @@ void reschedule_multi_process(struct context *c);
|
||||
|
||||
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
|
||||
|
||||
-void schedule_exit(struct context *c, const int n_seconds, const int signal);
|
||||
+bool schedule_exit(struct context *c);
|
||||
|
||||
static inline struct link_socket_info *
|
||||
get_link_socket_info(struct context *c)
|
||||
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
|
||||
index 1b406b9c5311..d220eeb97442 100644
|
||||
--- a/src/openvpn/push.c
|
||||
+++ b/src/openvpn/push.c
|
||||
@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
|
||||
* */
|
||||
if (c->options.mode == MODE_SERVER)
|
||||
{
|
||||
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
|
||||
+ if (!schedule_exit(c))
|
||||
+ {
|
||||
+ /* Return early when we don't need to notify management */
|
||||
+ return;
|
||||
+ }
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)))
|
||||
void
|
||||
send_auth_failed(struct context *c, const char *client_reason)
|
||||
{
|
||||
- if (event_timeout_defined(&c->c2.scheduled_exit))
|
||||
+ if (!schedule_exit(c))
|
||||
{
|
||||
msg(D_TLS_DEBUG, "exit already scheduled for context");
|
||||
return;
|
||||
@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, const char *client_reason)
|
||||
static const char auth_failed[] = "AUTH_FAILED";
|
||||
size_t len;
|
||||
|
||||
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
|
||||
-
|
||||
len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
|
||||
if (len > PUSH_BUNDLE_SIZE)
|
||||
{
|
||||
@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi,
|
||||
void
|
||||
send_restart(struct context *c, const char *kill_msg)
|
||||
{
|
||||
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
|
||||
+ schedule_exit(c);
|
||||
send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
|
||||
}
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
||||
+1
-2
@@ -10,12 +10,11 @@ inherit autotools systemd update-rc.d pkgconfig
|
||||
SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
|
||||
file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \
|
||||
file://openvpn \
|
||||
file://CVE-2024-28882.patch \
|
||||
"
|
||||
|
||||
UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
|
||||
|
||||
SRC_URI[sha256sum] = "1993bbb7b9edb430626eaa24573f881fd3df642f427fcb824b1aed1fca1bcc9b"
|
||||
SRC_URI[sha256sum] = "1c610fddeb686e34f1367c347e027e418e07523a10f4d8ce4a2c2af2f61a1929"
|
||||
|
||||
CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn"
|
||||
|
||||
Reference in New Issue
Block a user