diff --git a/backport-CVE-2023-46849.patch b/backport-CVE-2023-46849.patch deleted file mode 100644 index 588037313c07cb4dd1b00406cb7672ed0097666e..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-46849.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 1cfca659244e362f372d9843351257f456392a2f Mon Sep 17 00:00:00 2001 -From: Arne Schwabe -Date: Thu, 19 Oct 2023 15:14:33 +0200 -Subject: [PATCH] Remove saving initial frame code - -This code was necessary before the frame/buffer refactoring as we -always did relative adjustment to the frame. - -This also fixes also that previously initial_frame was initialised too -early before the fragment related options were initialised and contained -0 for the maximum frame size. This resulted in a DIV by 0 that caused an -abort on platforms that throw an exception for that. - -CVE: 2023-46849 - -Only people with --fragment in their config are affected - -Change-Id: Icc612bab5700879606290639e1b8773f61ec670d -Signed-off-by: Arne Schwabe -Acked-by: David Sommerseth -Acked-by: Heiko Hund -Message-Id: <20231108124947.76816-1-gert@greenie.muc.de> -URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de -Signed-off-by: Gert Doering ---- - src/openvpn/forward.c | 9 --------- - src/openvpn/init.c | 19 ++++++++----------- - src/openvpn/openvpn.h | 3 --- - 3 files changed, 8 insertions(+), 23 deletions(-) - -diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c -index 2510410f..0443ca0a 100644 ---- a/src/openvpn/forward.c -+++ b/src/openvpn/forward.c -@@ -1078,15 +1078,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo - if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, - floated, &ad_start)) - { -- /* Restore pre-NCP frame parameters */ -- if (is_hard_reset_method2(opcode)) -- { -- c->c2.frame = c->c2.frame_initial; --#ifdef ENABLE_FRAGMENT -- c->c2.frame_fragment = c->c2.frame_fragment_initial; --#endif -- } -- - interval_action(&c->c2.tmp_int); - - /* reset packet received timer if TLS packet */ -diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index 6fb6900d..079c4f5e 100644 ---- a/src/openvpn/init.c -+++ b/src/openvpn/init.c -@@ -3547,15 +3547,6 @@ do_init_frame(struct context *c) - */ - frame_finalize_options(c, NULL); - --#ifdef ENABLE_FRAGMENT -- /* -- * Set frame parameter for fragment code. This is necessary because -- * the fragmentation code deals with payloads which have already been -- * passed through the compression code. -- */ -- c->c2.frame_fragment = c->c2.frame; -- c->c2.frame_fragment_initial = c->c2.frame_fragment; --#endif - - #if defined(ENABLE_FRAGMENT) - /* -@@ -3751,6 +3742,14 @@ static void - do_init_fragment(struct context *c) - { - ASSERT(c->options.ce.fragment); -+ -+ /* -+ * Set frame parameter for fragment code. This is necessary because -+ * the fragmentation code deals with payloads which have already been -+ * passed through the compression code. -+ */ -+ c->c2.frame_fragment = c->c2.frame; -+ - frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, - &c->options, get_link_socket_info(c)); - fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); -@@ -4658,8 +4657,6 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f - c->c2.did_open_tun = do_open_tun(c, &error_flags); - } - -- c->c2.frame_initial = c->c2.frame; -- - /* print MTU info */ - do_print_data_channel_mtu_parms(c); - -diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h -index 077effeb..5b2be63f 100644 ---- a/src/openvpn/openvpn.h -+++ b/src/openvpn/openvpn.h -@@ -249,14 +249,11 @@ struct context_2 - - /* MTU frame parameters */ - struct frame frame; /* Active frame parameters */ -- struct frame frame_initial; /* Restored on new session */ - - #ifdef ENABLE_FRAGMENT - /* Object to handle advanced MTU negotiation and datagram fragmentation */ - struct fragment_master *fragment; - struct frame frame_fragment; -- struct frame frame_fragment_initial; -- struct frame frame_fragment_omit; - #endif - - /* --- -2.42.0.windows.2 - diff --git a/backport-CVE-2023-46850.patch b/backport-CVE-2023-46850.patch deleted file mode 100644 index fd60e8f14319829e8211b100166bb250464cac7a..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-46850.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 57a5cd1e12f193927c9b7429f8778fec7e04c50a Mon Sep 17 00:00:00 2001 -From: Arne Schwabe -Date: Fri, 27 Oct 2023 14:19:37 +0200 -Subject: [PATCH] Fix using to_link buffer after freed - -When I refactored the tls_state_change method in -9a7b95fda5 I accidentally changed a break into -a return true while it should return a false. - -The code here is extremely fragile in the sense -that it assumes that settings a keystate to S_ERROR -cannot have any outgoing buffer or we will have a -use after free. The previous break and now restored -return false ensure this by skipping any further -tls_process_state loops that might set to ks->S_ERROR -and ensure that the to_link is sent out and cleared -before having more loops in tls_state_change. - -CVE: 2023-46850 - -This affects everyone, even with tls-auth/tls-crypt enabled. - -Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 -Signed-off-by: Arne Schwabe -Acked-by: David Sommerseth -Acked-by: Heiko Hund -Message-Id: <20231108124947.76816-3-gert@greenie.muc.de> -URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de -Signed-off-by: Gert Doering ---- - src/openvpn/ssl.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c -index 022dc79f..9e0ad020 100644 ---- a/src/openvpn/ssl.c -+++ b/src/openvpn/ssl.c -@@ -2906,7 +2906,13 @@ tls_process_state(struct tls_multi *multi, - CONTROL_SEND_ACK_MAX, true); - *to_link = b; - dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP"); -- return true; -+ -+ /* This changed the state of the outgoing buffer. In order to avoid -+ * running this function again/further and invalidating the key_state -+ * buffer and accessing the buffer that is now in to_link after it being -+ * freed for a potential error, we shortcircuit exiting of the outer -+ * process here. */ -+ return false; - } - - /* Write incoming ciphertext to TLS object */ --- -2.42.0.windows.2 - diff --git a/openvpn-2.6.2.tar.gz b/openvpn-2.6.2.tar.gz deleted file mode 100644 index da8b093f18c41ea845168bc9a02076623b43e2f1..0000000000000000000000000000000000000000 Binary files a/openvpn-2.6.2.tar.gz and /dev/null differ diff --git a/openvpn-2.6.8.tar.gz b/openvpn-2.6.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..04b9e1b3c7d411eb5e85260929740f7e7ef2efd0 Binary files /dev/null and b/openvpn-2.6.8.tar.gz differ diff --git a/openvpn.spec b/openvpn.spec index 9c525c2605e8e06785de1f6f8849b594f495ede3..b406940be4bacfa00273c30ca9edda2c318add87 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -1,13 +1,11 @@ Name: openvpn -Version: 2.6.2 -Release: 2 +Version: 2.6.8 +Release: 1 Summary: A full-featured open source SSL VPN solution License: GPL-2.0-or-later and OpenSSL and SSLeay -URL: https://community.openvpn.net/openvpn +URL: https://community.openvpn.net/openvpn Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz Patch0: openvpn-2.4-change-tmpfiles-permissions.patch -Patch1: backport-CVE-2023-46849.patch -Patch2: backport-CVE-2023-46850.patch BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11 BuildRequires: libselinux-devel @@ -126,6 +124,9 @@ fi %{_mandir}/man5/openvpn-examples.5.gz %changelog +* Mon Jan 08 2024 Ge Wang - 2.6.8-1 +- Update to version 2.6.8 + * Wed Nov 22 2023 liningjie - 2.6.2-2 - Fix CVE-2023-46849 CVE-2023-46850