diff --git a/CVE-2020-11810.patch b/CVE-2020-11810.patch deleted file mode 100644 index 466cf0cc554a8cc366e0c12c370da61b79adaf27..0000000000000000000000000000000000000000 --- a/CVE-2020-11810.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Wed, 15 Apr 2020 10:30:17 +0300 -Subject: [PATCH] Fix illegal client float (CVE-2020-11810) - -There is a time frame between allocating peer-id and initializing data -channel key (which is performed on receiving push request or on async -push-reply) in which the existing peer-id float checks do not work right. - -If a "rogue" data channel packet arrives during that time frame from -another address and with same peer-id, this would cause client to float -to that new address. This is because: - - - tls_pre_decrypt() sets packet length to zero if - data channel key has not been initialized, which leads to - - - openvpn_decrypt() returns true if packet length is zero, - which leads to - - - process_incoming_link_part1() returns true, which - calls multi_process_float(), which commits float - -Note that problem doesn't happen when data channel key is initialized, -since in this case openvpn_decrypt() returns false. - -The net effect of this behaviour is that the VPN session for the -"victim client" is broken. Since the "attacker client" does not have -suitable keys, it can not inject or steal VPN traffic from the other -session. The time window is small and it can not be used to attack -a specific client's session, unless some other way is found to make it -disconnect and reconnect first. - -CVE-2020-11810 has been assigned to acknowledge this risk. - -Fix illegal float by adding buffer length check ("is this packet still -considered valid") before calling multi_process_float(). - -Trac: #1272 -CVE: 2020-11810 - -Signed-off-by: Lev Stipakov -Acked-by: Arne Schwabe -Acked-by: Antonio Quartulli -Acked-by: Gert Doering -Message-Id: <20200415073017.22839-1-lstipakov@gmail.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html -Signed-off-by: Gert Doering ---- - src/openvpn/multi.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c -index b42bcec97..056e3dc76 100644 ---- a/src/openvpn/multi.c -+++ b/src/openvpn/multi.c -@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst - orig_buf = c->c2.buf.data; - if (process_incoming_link_part1(c, lsi, floated)) - { -- if (floated) -+ /* nonzero length means that we have a valid, decrypted packed */ -+ if (floated && c->c2.buf.len > 0) - { - multi_process_float(m, m->pending); - } diff --git a/CVE-2020-15078.patch b/CVE-2020-15078.patch deleted file mode 100644 index 0fa20077646490b21a123853937736e37958078a..0000000000000000000000000000000000000000 --- a/CVE-2020-15078.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 6b03967183591d8a7e619caaf529f7581619326b Mon Sep 17 00:00:00 2001 -From: Arne Schwabe -Date: Tue, 6 Apr 2021 00:05:21 +0200 -Subject: [PATCH] Ensure key state is authenticated before sending push reply - -This ensures that the key state is authenticated when sendinga push reply. ---- - src/openvpn/push.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/push.c b/src/openvpn/push.c -index dd5bd41..fcdd76b 100644 ---- a/src/openvpn/push.c -+++ b/src/openvpn/push.c -@@ -647,6 +647,7 @@ int - process_incoming_push_request(struct context *c) - { - int ret = PUSH_MSG_ERROR; -+ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; - - #ifdef ENABLE_ASYNC_PUSH - c->c2.push_request_received = true; -@@ -657,7 +658,12 @@ process_incoming_push_request(struct context *c) - send_auth_failed(c, client_reason); - ret = PUSH_MSG_AUTH_FAILURE; - } -- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) -+ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED -+ && ks->authenticated -+ #ifdef ENABLE_DEF_AUTH -+ && !ks->auth_deferred -+ #endif -+ ) - { - time_t now; - --- -2.23.0 - diff --git a/CVE-2022-0547.patch b/CVE-2022-0547.patch index 12e7c3ff3bd82a6a384e5a9ec33a26095e6a7e05..3916525b7f9797f1404f6076f035ac6d487b977c 100644 --- a/CVE-2022-0547.patch +++ b/CVE-2022-0547.patch @@ -1,57 +1,48 @@ -From 58ec3bb4aac77131118dbbc39a65181e7847adee Mon Sep 17 00:00:00 2001 +From af3e382649d96ae77cc5e42be8270f355e5cfec5 Mon Sep 17 00:00:00 2001 From: David Sommerseth -Date: Tue, 15 Mar 2022 16:53:43 +0100 +Date: Sun, 13 Mar 2022 20:31:53 +0100 Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins The plug-in API in OpenVPN 2.x is not designed for running multiple deferred authentication processes in parallel. The authentication results of such configurations are not to be trusted. For now we bail -out when this discovered with an error in the log. - -This is a backport of commit 282ddbac54f8d4923844f699 (master), taking -the different man-page format into account. The code change is the same. +out when this is discovered with an error in the log. CVE: 2022-0547 Signed-off-by: David Sommerseth -Acked-by: Gert Doering -Message-Id: <20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net> -URL: https://www.mail-archive.com/search?l=mid&q=20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net +Acked-by: Antonio Quartulli +Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html Signed-off-by: Gert Doering +(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a) --- - doc/openvpn.8 | 13 +++++++++++++ - src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++--- - 2 files changed, 43 insertions(+), 3 deletions(-) + doc/man-sections/plugin-options.rst | 9 ++++++++ + src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++--- + 2 files changed, 39 insertions(+), 3 deletions(-) -diff --git a/doc/openvpn.8 b/doc/openvpn.8 -index 598d5fce5..7f773b695 100644 ---- a/doc/openvpn.8 -+++ b/doc/openvpn.8 -@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or - client\-connect), then - every module and script must return success (0) in order for - the connection to be authenticated. +diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst +index 51c574fe6..9266429ea 100644 +--- a/doc/man-sections/plugin-options.rst ++++ b/doc/man-sections/plugin-options.rst +@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API. + (such as tls-verify, auth-user-pass-verify, or client-connect), then + every module and script must return success (:code:`0`) in order for the + connection to be authenticated. + -+.INDENT 7.0 -+.TP -+.B \fBWARNING\fP: -+Plug\-ins may do deferred execution, meaning the plug\-in will -+return the control back to the main OpenVPN process and provide -+the plug\-in result later on via a different thread or process. -+OpenVPN does \fBNOT\fP support multiple authentication plug\-ins -+\fBwhere more than one plugin\fP tries to do deferred authentication. -+If this behaviour is detected, OpenVPN will shut down upon first -+authentication. -+.UNINDENT -+.UNINDENT - .\"********************************************************* - .TP - .B \-\-keying\-material\-exporter label len ++ **WARNING**: ++ Plug-ins may do deferred execution, meaning the plug-in will ++ return the control back to the main OpenVPN process and provide ++ the plug-in result later on via a different thread or process. ++ OpenVPN does **NOT** support multiple authentication plug-ins ++ **where more than one plugin** tries to do deferred authentication. ++ If this behaviour is detected, OpenVPN will shut down upon first ++ authentication. diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c -index 0ab99ab5c..5ba1c2470 100644 +index e8f8830d0..ed5d7c067 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c -@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl, +@@ -806,7 +806,7 @@ plugin_call_ssl(const struct plugin_list *pl, const int n = plugin_n(pl); bool success = false; bool error = false; @@ -60,7 +51,7 @@ index 0ab99ab5c..5ba1c2470 100644 setenv_del(es, "script_type"); envp = make_env_array(es, false, &gc); -@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl, +@@ -829,7 +829,34 @@ plugin_call_ssl(const struct plugin_list *pl, break; case OPENVPN_PLUGIN_FUNC_DEFERRED: @@ -96,7 +87,7 @@ index 0ab99ab5c..5ba1c2470 100644 break; default: -@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl, +@@ -853,7 +880,7 @@ plugin_call_ssl(const struct plugin_list *pl, { return OPENVPN_PLUGIN_FUNC_ERROR; } diff --git a/openvpn-2.4.8.tar.gz b/openvpn-2.4.8.tar.gz deleted file mode 100644 index 3d5ce5814f0e8b9452608094b87f1af38034e7a6..0000000000000000000000000000000000000000 Binary files a/openvpn-2.4.8.tar.gz and /dev/null differ diff --git a/openvpn-2.5.5.tar.gz b/openvpn-2.5.5.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..6bbb30802a9d5533866ddb43b23ff8579027eb2b Binary files /dev/null and b/openvpn-2.5.5.tar.gz differ diff --git a/openvpn.spec b/openvpn.spec index 76caf29fe5989ac1659d1b0f47c1d047af685f77..993705fb382e6e70da04553edc4ced7ff159b097 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -1,12 +1,10 @@ Name: openvpn -Version: 2.4.8 -Release: 7 +Version: 2.5.5 +Release: 1 Summary: A full-featured open source SSL VPN solution -License: GPLv2 and OpenSSL and SSLeay +License: GPL-2.0-or-later and OpenSSL and SSLeay URL: https://community.openvpn.net/openvpn Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz -Patch0000: CVE-2020-11810.patch -Patch0001: CVE-2020-15078.patch # https://github.com/OpenVPN/openvpn/commit/58ec3bb Patch0002: CVE-2022-0547.patch BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc @@ -123,8 +121,12 @@ fi %files help %{_pkgdocdir} %{_mandir}/man8/%{name}.8* +%{_mandir}/man5/openvpn-examples.5.gz %changelog +* Wed Apr 13 2022 xigaoxinyan - 2.5.5-1 +- Update to 2.5.5 + * Wed Mar 30 2022 wangkai - 2.4.8-7 - Fix CVE-2022-0547