diff options
| author | Haixiao Yan <haixiao.yan.cn@windriver.com> | 2024-11-11 14:41:19 +0800 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2024-11-24 17:37:58 -0500 |
| commit | 3d234d9a1276255911c9eb41315e7251d62ac2c7 (patch) | |
| tree | a9d48a4502e520a154c9207bea64df07266b6081 | |
| parent | 60fc5f65e1530f3a2e5d6e76b9799091d8763127 (diff) | |
| download | meta-openembedded-3d234d9a1276255911c9eb41315e7251d62ac2c7.tar.gz | |
openvpn: upgrade 2.6.10 -> 2.6.12
ChangeLog:
https://github.com/OpenVPN/openvpn/blob/v2.6.12/Changes.rst
Security fixes:
CVE-2024-4877: Windows: harden interactive service pipe.
Security scope: a malicious process with "some" elevated privileges
(SeImpersonatePrivilege) could open the pipe a second time,
tricking openvn GUI into providing user credentials (tokens),
getting full access to the account openvpn-gui.exe runs as.
CVE-2024-5594: control channel: refuse control channel messages with
nonprintable characters in them.
Security scope: a malicious openvpn peer can send garbage to openvpn log,
or cause high CPU load.
CVE-2024-28882: only call schedule_exit() once (on a given peer).
Security scope: an authenticated client can make the server "keep the
session" even when the server has been told to disconnect this client.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
[Drop CVE-2024-28882 patch not yet in stable]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch | 144 | ||||
| -rw-r--r-- | meta-networking/recipes-support/openvpn/openvpn_2.6.12.bb (renamed from meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb) | 3 |
2 files changed, 1 insertions, 146 deletions
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch deleted file mode 100644 index 0b016c89e2..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch +++ /dev/null | |||
| @@ -1,144 +0,0 @@ | |||
| 1 | From 6b0859f669729f4fd328d80bc5c7b4dbbdbf0280 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk> | ||
| 3 | Date: Thu, 16 May 2024 13:58:08 +0200 | ||
| 4 | Subject: [PATCH] Only schedule_exit() once | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | If an exit has already been scheduled we should not schedule it again. | ||
| 10 | Otherwise, the exit signal is never emitted if the peer reschedules the | ||
| 11 | exit before the timeout occurs. | ||
| 12 | |||
| 13 | schedule_exit() now only takes the context as argument. The signal is | ||
| 14 | hard coded to SIGTERM, and the interval is read directly from the | ||
| 15 | context options. | ||
| 16 | |||
| 17 | Furthermore, schedule_exit() now returns a bool signifying whether an | ||
| 18 | exit was scheduled; false if exit is already scheduled. The call sites | ||
| 19 | are updated accordingly. A notable difference is that management is only | ||
| 20 | notified *once* when an exit is scheduled - we no longer notify | ||
| 21 | management on redundant exit. | ||
| 22 | |||
| 23 | This patch was assigned a CVE number after already reviewed and ACKed, | ||
| 24 | because it was discovered that a misbehaving client can use the (now | ||
| 25 | fixed) server behaviour to avoid being disconnected by means of a | ||
| 26 | managment interface "client-kill" command - the security issue here is | ||
| 27 | "client can circumvent security policy set by management interface". | ||
| 28 | |||
| 29 | This only affects previously authenticated clients, and only management | ||
| 30 | client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not | ||
| 31 | affected. | ||
| 32 | |||
| 33 | CVE: 2024-28882 | ||
| 34 | |||
| 35 | Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661 | ||
| 36 | Signed-off-by: Reynir Björnsson <reynir@reynir.dk> | ||
| 37 | Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> | ||
| 38 | Message-Id: <20240516120434.23499-1-gert@greenie.muc.de> | ||
| 39 | URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html | ||
| 40 | Signed-off-by: Gert Doering <gert@greenie.muc.de> | ||
| 41 | |||
| 42 | CVE: CVE-2024-28882 | ||
| 43 | Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/55bb3260c12bae33b6a8eac73cbb6972f8517411] | ||
| 44 | |||
| 45 | Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> | ||
| 46 | --- | ||
| 47 | src/openvpn/forward.c | 15 +++++++++++---- | ||
| 48 | src/openvpn/forward.h | 2 +- | ||
| 49 | src/openvpn/push.c | 12 +++++++----- | ||
| 50 | 3 files changed, 19 insertions(+), 10 deletions(-) | ||
| 51 | |||
| 52 | diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c | ||
| 53 | index e9811b9c81de..29e812ffd17d 100644 | ||
| 54 | --- a/src/openvpn/forward.c | ||
| 55 | +++ b/src/openvpn/forward.c | ||
| 56 | @@ -514,17 +514,24 @@ check_server_poll_timeout(struct context *c) | ||
| 57 | } | ||
| 58 | |||
| 59 | /* | ||
| 60 | - * Schedule a signal n_seconds from now. | ||
| 61 | + * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now. | ||
| 62 | */ | ||
| 63 | -void | ||
| 64 | -schedule_exit(struct context *c, const int n_seconds, const int signal) | ||
| 65 | +bool | ||
| 66 | +schedule_exit(struct context *c) | ||
| 67 | { | ||
| 68 | + const int n_seconds = c->options.scheduled_exit_interval; | ||
| 69 | + /* don't reschedule if already scheduled. */ | ||
| 70 | + if (event_timeout_defined(&c->c2.scheduled_exit)) | ||
| 71 | + { | ||
| 72 | + return false; | ||
| 73 | + } | ||
| 74 | tls_set_single_session(c->c2.tls_multi); | ||
| 75 | update_time(); | ||
| 76 | reset_coarse_timers(c); | ||
| 77 | event_timeout_init(&c->c2.scheduled_exit, n_seconds, now); | ||
| 78 | - c->c2.scheduled_exit_signal = signal; | ||
| 79 | + c->c2.scheduled_exit_signal = SIGTERM; | ||
| 80 | msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); | ||
| 81 | + return true; | ||
| 82 | } | ||
| 83 | |||
| 84 | /* | ||
| 85 | diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h | ||
| 86 | index 060fc374ca60..245a80292112 100644 | ||
| 87 | --- a/src/openvpn/forward.h | ||
| 88 | +++ b/src/openvpn/forward.h | ||
| 89 | @@ -302,7 +302,7 @@ void reschedule_multi_process(struct context *c); | ||
| 90 | |||
| 91 | void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); | ||
| 92 | |||
| 93 | -void schedule_exit(struct context *c, const int n_seconds, const int signal); | ||
| 94 | +bool schedule_exit(struct context *c); | ||
| 95 | |||
| 96 | static inline struct link_socket_info * | ||
| 97 | get_link_socket_info(struct context *c) | ||
| 98 | diff --git a/src/openvpn/push.c b/src/openvpn/push.c | ||
| 99 | index 1b406b9c5311..d220eeb97442 100644 | ||
| 100 | --- a/src/openvpn/push.c | ||
| 101 | +++ b/src/openvpn/push.c | ||
| 102 | @@ -204,7 +204,11 @@ receive_exit_message(struct context *c) | ||
| 103 | * */ | ||
| 104 | if (c->options.mode == MODE_SERVER) | ||
| 105 | { | ||
| 106 | - schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); | ||
| 107 | + if (!schedule_exit(c)) | ||
| 108 | + { | ||
| 109 | + /* Return early when we don't need to notify management */ | ||
| 110 | + return; | ||
| 111 | + } | ||
| 112 | } | ||
| 113 | else | ||
| 114 | { | ||
| 115 | @@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5))) | ||
| 116 | void | ||
| 117 | send_auth_failed(struct context *c, const char *client_reason) | ||
| 118 | { | ||
| 119 | - if (event_timeout_defined(&c->c2.scheduled_exit)) | ||
| 120 | + if (!schedule_exit(c)) | ||
| 121 | { | ||
| 122 | msg(D_TLS_DEBUG, "exit already scheduled for context"); | ||
| 123 | return; | ||
| 124 | @@ -401,8 +405,6 @@ send_auth_failed(struct context *c, const char *client_reason) | ||
| 125 | static const char auth_failed[] = "AUTH_FAILED"; | ||
| 126 | size_t len; | ||
| 127 | |||
| 128 | - schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); | ||
| 129 | - | ||
| 130 | len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); | ||
| 131 | if (len > PUSH_BUNDLE_SIZE) | ||
| 132 | { | ||
| 133 | @@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi, | ||
| 134 | void | ||
| 135 | send_restart(struct context *c, const char *kill_msg) | ||
| 136 | { | ||
| 137 | - schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); | ||
| 138 | + schedule_exit(c); | ||
| 139 | send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH); | ||
| 140 | } | ||
| 141 | |||
| 142 | -- | ||
| 143 | 2.34.1 | ||
| 144 | |||
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.12.bb index 9b551d3ca2..af237280ea 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.12.bb | |||
| @@ -10,12 +10,11 @@ inherit autotools systemd update-rc.d pkgconfig | |||
| 10 | SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ | 10 | SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ |
| 11 | file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ | 11 | file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ |
| 12 | file://openvpn \ | 12 | file://openvpn \ |
| 13 | file://CVE-2024-28882.patch \ | ||
| 14 | " | 13 | " |
| 15 | 14 | ||
| 16 | UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" | 15 | UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" |
| 17 | 16 | ||
| 18 | SRC_URI[sha256sum] = "1993bbb7b9edb430626eaa24573f881fd3df642f427fcb824b1aed1fca1bcc9b" | 17 | SRC_URI[sha256sum] = "1c610fddeb686e34f1367c347e027e418e07523a10f4d8ce4a2c2af2f61a1929" |
| 19 | 18 | ||
| 20 | CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" | 19 | CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" |
| 21 | 20 | ||