diff --git a/backport-CVE-2023-46849.patch b/backport-CVE-2023-46849.patch new file mode 100644 index 0000000000000000000000000000000000000000..588037313c07cb4dd1b00406cb7672ed0097666e --- /dev/null +++ b/backport-CVE-2023-46849.patch @@ -0,0 +1,116 @@ +From 1cfca659244e362f372d9843351257f456392a2f Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Thu, 19 Oct 2023 15:14:33 +0200 +Subject: [PATCH] Remove saving initial frame code + +This code was necessary before the frame/buffer refactoring as we +always did relative adjustment to the frame. + +This also fixes also that previously initial_frame was initialised too +early before the fragment related options were initialised and contained +0 for the maximum frame size. This resulted in a DIV by 0 that caused an +abort on platforms that throw an exception for that. + +CVE: 2023-46849 + +Only people with --fragment in their config are affected + +Change-Id: Icc612bab5700879606290639e1b8773f61ec670d +Signed-off-by: Arne Schwabe +Acked-by: David Sommerseth +Acked-by: Heiko Hund +Message-Id: <20231108124947.76816-1-gert@greenie.muc.de> +URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de +Signed-off-by: Gert Doering +--- + src/openvpn/forward.c | 9 --------- + src/openvpn/init.c | 19 ++++++++----------- + src/openvpn/openvpn.h | 3 --- + 3 files changed, 8 insertions(+), 23 deletions(-) + +diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c +index 2510410f..0443ca0a 100644 +--- a/src/openvpn/forward.c ++++ b/src/openvpn/forward.c +@@ -1078,15 +1078,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo + if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, + floated, &ad_start)) + { +- /* Restore pre-NCP frame parameters */ +- if (is_hard_reset_method2(opcode)) +- { +- c->c2.frame = c->c2.frame_initial; +-#ifdef ENABLE_FRAGMENT +- c->c2.frame_fragment = c->c2.frame_fragment_initial; +-#endif +- } +- + interval_action(&c->c2.tmp_int); + + /* reset packet received timer if TLS packet */ +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 6fb6900d..079c4f5e 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -3547,15 +3547,6 @@ do_init_frame(struct context *c) + */ + frame_finalize_options(c, NULL); + +-#ifdef ENABLE_FRAGMENT +- /* +- * Set frame parameter for fragment code. This is necessary because +- * the fragmentation code deals with payloads which have already been +- * passed through the compression code. +- */ +- c->c2.frame_fragment = c->c2.frame; +- c->c2.frame_fragment_initial = c->c2.frame_fragment; +-#endif + + #if defined(ENABLE_FRAGMENT) + /* +@@ -3751,6 +3742,14 @@ static void + do_init_fragment(struct context *c) + { + ASSERT(c->options.ce.fragment); ++ ++ /* ++ * Set frame parameter for fragment code. This is necessary because ++ * the fragmentation code deals with payloads which have already been ++ * passed through the compression code. ++ */ ++ c->c2.frame_fragment = c->c2.frame; ++ + frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, + &c->options, get_link_socket_info(c)); + fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); +@@ -4658,8 +4657,6 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f + c->c2.did_open_tun = do_open_tun(c, &error_flags); + } + +- c->c2.frame_initial = c->c2.frame; +- + /* print MTU info */ + do_print_data_channel_mtu_parms(c); + +diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h +index 077effeb..5b2be63f 100644 +--- a/src/openvpn/openvpn.h ++++ b/src/openvpn/openvpn.h +@@ -249,14 +249,11 @@ struct context_2 + + /* MTU frame parameters */ + struct frame frame; /* Active frame parameters */ +- struct frame frame_initial; /* Restored on new session */ + + #ifdef ENABLE_FRAGMENT + /* Object to handle advanced MTU negotiation and datagram fragmentation */ + struct fragment_master *fragment; + struct frame frame_fragment; +- struct frame frame_fragment_initial; +- struct frame frame_fragment_omit; + #endif + + /* +-- +2.42.0.windows.2 + diff --git a/backport-CVE-2023-46850.patch b/backport-CVE-2023-46850.patch new file mode 100644 index 0000000000000000000000000000000000000000..fd60e8f14319829e8211b100166bb250464cac7a --- /dev/null +++ b/backport-CVE-2023-46850.patch @@ -0,0 +1,55 @@ +From 57a5cd1e12f193927c9b7429f8778fec7e04c50a Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Fri, 27 Oct 2023 14:19:37 +0200 +Subject: [PATCH] Fix using to_link buffer after freed + +When I refactored the tls_state_change method in +9a7b95fda5 I accidentally changed a break into +a return true while it should return a false. + +The code here is extremely fragile in the sense +that it assumes that settings a keystate to S_ERROR +cannot have any outgoing buffer or we will have a +use after free. The previous break and now restored +return false ensure this by skipping any further +tls_process_state loops that might set to ks->S_ERROR +and ensure that the to_link is sent out and cleared +before having more loops in tls_state_change. + +CVE: 2023-46850 + +This affects everyone, even with tls-auth/tls-crypt enabled. + +Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 +Signed-off-by: Arne Schwabe +Acked-by: David Sommerseth +Acked-by: Heiko Hund +Message-Id: <20231108124947.76816-3-gert@greenie.muc.de> +URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de +Signed-off-by: Gert Doering +--- + src/openvpn/ssl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index 022dc79f..9e0ad020 100644 +--- a/src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -2906,7 +2906,13 @@ tls_process_state(struct tls_multi *multi, + CONTROL_SEND_ACK_MAX, true); + *to_link = b; + dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP"); +- return true; ++ ++ /* This changed the state of the outgoing buffer. In order to avoid ++ * running this function again/further and invalidating the key_state ++ * buffer and accessing the buffer that is now in to_link after it being ++ * freed for a potential error, we shortcircuit exiting of the outer ++ * process here. */ ++ return false; + } + + /* Write incoming ciphertext to TLS object */ +-- +2.42.0.windows.2 + diff --git a/openvpn.spec b/openvpn.spec index 5beb40b2a65da3d513b04e5b114b5fada80b40d6..9c525c2605e8e06785de1f6f8849b594f495ede3 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -1,11 +1,13 @@ Name: openvpn Version: 2.6.2 -Release: 1 +Release: 2 Summary: A full-featured open source SSL VPN solution License: GPL-2.0-or-later and OpenSSL and SSLeay URL: https://community.openvpn.net/openvpn Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz Patch0: openvpn-2.4-change-tmpfiles-permissions.patch +Patch1: backport-CVE-2023-46849.patch +Patch2: backport-CVE-2023-46850.patch BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11 BuildRequires: libselinux-devel @@ -124,6 +126,9 @@ fi %{_mandir}/man5/openvpn-examples.5.gz %changelog +* Wed Nov 22 2023 liningjie - 2.6.2-2 +- Fix CVE-2023-46849 CVE-2023-46850 + * Thu Apr 20 2023 xu_ping <707078654@qq.com> - 2.6.2-1 - Update to 2.6.2