From d6cd54ccfe91495f649d44ea1c4bde86c577c4af Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Wed, 30 Mar 2022 11:10:17 +0800 Subject: [PATCH] Fix CVE-2022-0547 --- CVE-2022-0547.patch | 107 ++++++++++++++++++++++++++++++++++++++++++++ openvpn.spec | 7 ++- 2 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-0547.patch diff --git a/CVE-2022-0547.patch b/CVE-2022-0547.patch new file mode 100644 index 0000000..12e7c3f --- /dev/null +++ b/CVE-2022-0547.patch @@ -0,0 +1,107 @@ +From 58ec3bb4aac77131118dbbc39a65181e7847adee Mon Sep 17 00:00:00 2001 +From: David Sommerseth +Date: Tue, 15 Mar 2022 16:53:43 +0100 +Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins + +The plug-in API in OpenVPN 2.x is not designed for running multiple +deferred authentication processes in parallel. The authentication +results of such configurations are not to be trusted. For now we bail +out when this discovered with an error in the log. + +This is a backport of commit 282ddbac54f8d4923844f699 (master), taking +the different man-page format into account. The code change is the same. + +CVE: 2022-0547 +Signed-off-by: David Sommerseth + +Acked-by: Gert Doering +Message-Id: <20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net> +URL: https://www.mail-archive.com/search?l=mid&q=20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net +Signed-off-by: Gert Doering +--- + doc/openvpn.8 | 13 +++++++++++++ + src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++--- + 2 files changed, 43 insertions(+), 3 deletions(-) + +diff --git a/doc/openvpn.8 b/doc/openvpn.8 +index 598d5fce5..7f773b695 100644 +--- a/doc/openvpn.8 ++++ b/doc/openvpn.8 +@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or + client\-connect), then + every module and script must return success (0) in order for + the connection to be authenticated. ++ ++.INDENT 7.0 ++.TP ++.B \fBWARNING\fP: ++Plug\-ins may do deferred execution, meaning the plug\-in will ++return the control back to the main OpenVPN process and provide ++the plug\-in result later on via a different thread or process. ++OpenVPN does \fBNOT\fP support multiple authentication plug\-ins ++\fBwhere more than one plugin\fP tries to do deferred authentication. ++If this behaviour is detected, OpenVPN will shut down upon first ++authentication. ++.UNINDENT ++.UNINDENT + .\"********************************************************* + .TP + .B \-\-keying\-material\-exporter label len +diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c +index 0ab99ab5c..5ba1c2470 100644 +--- a/src/openvpn/plugin.c ++++ b/src/openvpn/plugin.c +@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl, + const int n = plugin_n(pl); + bool success = false; + bool error = false; +- bool deferred = false; ++ bool deferred_auth_done = false; + + setenv_del(es, "script_type"); + envp = make_env_array(es, false, &gc); +@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl, + break; + + case OPENVPN_PLUGIN_FUNC_DEFERRED: +- deferred = true; ++ if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) ++ && deferred_auth_done) ++ { ++ /* ++ * Do not allow deferred auth if a deferred auth has ++ * already been started. This should allow a single ++ * deferred auth call to happen, with one or more ++ * auth calls with an instant authentication result. ++ * ++ * The plug-in API is not designed for multiple ++ * deferred authentications to happen, as the ++ * auth_control_file file will be shared across all ++ * the plug-ins. ++ * ++ * Since this is considered a critical configuration ++ * error, we bail out and exit the OpenVPN process. ++ */ ++ error = true; ++ msg(M_FATAL, ++ "Exiting due to multiple authentication plug-ins " ++ "performing deferred authentication. Only one " ++ "authentication plug-in doing deferred auth is " ++ "allowed. Ignoring the result and stopping now, " ++ "the current authentication result is not to be " ++ "trusted."); ++ break; ++ } ++ deferred_auth_done = true; + break; + + default: +@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl, + { + return OPENVPN_PLUGIN_FUNC_ERROR; + } +- else if (deferred) ++ else if (deferred_auth_done) + { + return OPENVPN_PLUGIN_FUNC_DEFERRED; + } diff --git a/openvpn.spec b/openvpn.spec index 6b10891..76caf29 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -1,12 +1,14 @@ Name: openvpn Version: 2.4.8 -Release: 6 +Release: 7 Summary: A full-featured open source SSL VPN solution License: GPLv2 and OpenSSL and SSLeay URL: https://community.openvpn.net/openvpn Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz Patch0000: CVE-2020-11810.patch Patch0001: CVE-2020-15078.patch +# https://github.com/OpenVPN/openvpn/commit/58ec3bb +Patch0002: CVE-2022-0547.patch BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11 @@ -123,6 +125,9 @@ fi %{_mandir}/man8/%{name}.8* %changelog +* Wed Mar 30 2022 wangkai - 2.4.8-7 +- Fix CVE-2022-0547 + * Wed Jun 9 2021 zhaoyao - 2.4.8-6 - fix faileds: /bin/sh: gcc: command not found. -- Gitee