summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHaixiao Yan <haixiao.yan.cn@windriver.com>2024-11-13 19:08:12 +0800
committerArmin Kuster <akuster808@gmail.com>2024-12-08 14:39:17 -0500
commitadf635944c6a2f63b5772ceaa5411be84a9b3711 (patch)
treec1c2fe10da4da41d86aab1098b03b6a745e8dc28
parent2d6512b422b691f26a7a77ba564862ee2ff74fc5 (diff)
downloadmeta-openembedded-adf635944c6a2f63b5772ceaa5411be84a9b3711.tar.gz
openvpn: upgrade 2.5.6 -> 2.5.11
License-Update: Add Apache2 linking for new commits [1] ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.5.11/Changes.rst Security fixes: CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. [1] https://github.com/OpenVPN/openvpn/commit/4a89a55b8a9d6193957711bef74228796a185179 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch49
-rw-r--r--meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch99
-rw-r--r--meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch119
-rw-r--r--meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb (renamed from meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb)7
4 files changed, 2 insertions, 272 deletions
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch
deleted file mode 100644
index b42b3040ef..0000000000
--- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch
+++ /dev/null
@@ -1,49 +0,0 @@
1From 2c1de0f0803360c0a6408f754066bd3a6fb28237 Mon Sep 17 00:00:00 2001
2From: Lev Stipakov <lstipakov@gmail.com>
3Date: Tue, 19 Mar 2024 17:16:07 +0200
4Subject: [PATCH] interactive.c: disable remote access to the service pipe
5
6Remote access to the service pipe is not needed and might
7be a potential attack vector.
8
9For example, if an attacker manages to get credentials for
10a user which is the member of "OpenVPN Administrators" group
11on a victim machine, an attacker might be able to communicate
12with the privileged interactive service on a victim machine
13and start openvpn processes remotely.
14
15CVE: 2024-24974
16
17Microsoft case number: 85925
18
19Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
20Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277
21Signed-off-by: Lev Stipakov <lev@openvpn.net>
22Acked-by: Heiko Hund <heiko@openvpn.net>
23Message-Id: <20240319151723.936-2-lev@openvpn.net>
24URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html
25Signed-off-by: Gert Doering <gert@greenie.muc.de>
26
27CVE:CVE-2024-24974
28Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/2c1de0f0803360c0a6408f754066bd3a6fb28237]
29
30Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
31---
32 src/openvpnserv/interactive.c | 2 +-
33 1 file changed, 1 insertion(+), 1 deletion(-)
34
35diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
36index 3b120ae..5e3ff12 100644
37--- a/src/openvpnserv/interactive.c
38+++ b/src/openvpnserv/interactive.c
39@@ -1994,7 +1994,7 @@ CreateClientPipeInstance(VOID)
40
41 openvpn_sntprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%s\\service"), service_instance);
42 pipe = CreateNamedPipe(pipe_name, flags,
43- PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE,
44+ PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS,
45 PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
46 if (pipe == INVALID_HANDLE_VALUE)
47 {
48--
492.40.0
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch
deleted file mode 100644
index d04eeb571d..0000000000
--- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch
+++ /dev/null
@@ -1,99 +0,0 @@
1From 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 Mon Sep 17 00:00:00 2001
2From: Lev Stipakov <lstipakov@gmail.com>
3Date: Tue, 19 Mar 2024 17:27:11 +0200
4Subject: [PATCH] interactive.c: Fix potential stack overflow issue
5When reading message from the pipe, we first peek the pipe to get the size
6of the message waiting to be read and then read the message. A compromised
7OpenVPN process could send an excessively large message, which would result
8in a stack-allocated message buffer overflow.
9
10To address this, we terminate the misbehaving process if the peeked message
11size exceeds the maximum allowable size.
12
13CVE: 2024-27459
14Microsoft case number: 85932
15
16Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
17Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada
18Signed-off-by: Lev Stipakov <lev@openvpn.net>
19Acked-by: Heiko Hund <heiko@openvpn.net>
20Message-Id: <20240319152803.1801-2-lev@openvpn.net>
21URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html
22Signed-off-by: Gert Doering <gert@greenie.muc.de>
23
24CVE:CVE-2024-27459
25Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/989b22cb6e007fd1addcfaf7d12f4fec9fbc9639]
26
27Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
28---
29 src/openvpnserv/interactive.c | 34 +++++++++++++++++++++-------------
30 1 file changed, 21 insertions(+), 13 deletions(-)
31
32diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
33index 5e3ff12..f613b99 100644
34--- a/src/openvpnserv/interactive.c
35+++ b/src/openvpnserv/interactive.c
36@@ -111,6 +111,18 @@ typedef struct {
37 HANDLE device;
38 } ring_buffer_handles_t;
39
40+typedef union {
41+ message_header_t header;
42+ address_message_t address;
43+ route_message_t route;
44+ flush_neighbors_message_t flush_neighbors;
45+ block_dns_message_t block_dns;
46+ dns_cfg_message_t dns;
47+ enable_dhcp_message_t dhcp;
48+ register_ring_buffers_message_t rrb;
49+ set_mtu_message_t mtu;
50+ wins_cfg_message_t wins;
51+} pipe_message_t;
52
53 static DWORD
54 AddListItem(list_item_t **pfirst, LPVOID data)
55@@ -1444,18 +1456,7 @@ static VOID
56 HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_handles,
57 DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists)
58 {
59- DWORD read;
60- union {
61- message_header_t header;
62- address_message_t address;
63- route_message_t route;
64- flush_neighbors_message_t flush_neighbors;
65- block_dns_message_t block_dns;
66- dns_cfg_message_t dns;
67- enable_dhcp_message_t dhcp;
68- register_ring_buffers_message_t rrb;
69- set_mtu_message_t mtu;
70- } msg;
71+ pipe_message_t msg;
72 ack_message_t ack = {
73 .header = {
74 .type = msg_acknowledgement,
75@@ -1465,7 +1466,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_
76 .error_number = ERROR_MESSAGE_DATA
77 };
78
79- read = ReadPipeAsync(pipe, &msg, bytes, count, events);
80+ DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events);
81 if (read != bytes || read < sizeof(msg.header) || read != msg.header.size)
82 {
83 goto out;
84@@ -1884,6 +1885,13 @@ RunOpenvpn(LPVOID p)
85 break;
86 }
87
88+ if (bytes > sizeof(pipe_message_t))
89+ {
90+ /* process at the other side of the pipe is misbehaving, shut it down */
91+ MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes);
92+ break;
93+ }
94+
95 HandleMessage(ovpn_pipe, proc_info.hProcess, &ring_buffer_handles, bytes, 1, &exit_event, &undo_lists);
96 }
97
98--
992.40.0
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch
deleted file mode 100644
index d0726ab35c..0000000000
--- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch
+++ /dev/null
@@ -1,119 +0,0 @@
1From aaea545d8a940f761898d736b68bcb067d503b1d Mon Sep 17 00:00:00 2001
2From: Lev Stipakov <lstipakov@gmail.com>
3Date: Tue, 19 Mar 2024 15:53:45 +0200
4Subject: [PATCH] win32: Enforce loading of plugins from a trusted directory
5
6Currently, there's a risk associated with allowing plugins to be loaded from
7any location. This update ensures plugins are only loaded from a trusted
8directory, which is either:
9
10 - HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing,
11 then HKLM\SOFTWARE\OpenVPN, which is installation directory)
12
13 - System directory
14
15Loading from UNC paths is disallowed.
16
17Note: This change affects only Windows environments.
18
19CVE: 2024-27903
20
21Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d
22Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
23Signed-off-by: Lev Stipakov <lev@openvpn.net>
24Acked-by: Selva Nair <selva.nair@gmail.com>
25Message-Id: <20240319135355.1279-2-lev@openvpn.net>
26URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html
27Signed-off-by: Gert Doering <gert@greenie.muc.de>
28
29CVE:CVE-2024-27903
30Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/aaea545d8a940f761898d736b68bcb067d503b1d]
31
32Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
33---
34 src/openvpn/plugin.c | 18 +++++++++++++++---
35 src/openvpn/win32.c | 21 +++++++++------------
36 2 files changed, 24 insertions(+), 15 deletions(-)
37
38diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
39index ed5d7c0..f7315f4 100644
40--- a/src/openvpn/plugin.c
41+++ b/src/openvpn/plugin.c
42@@ -279,11 +279,23 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o)
43
44 #else /* ifndef _WIN32 */
45
46- rel = !platform_absolute_pathname(p->so_pathname);
47- p->module = LoadLibraryW(wide_string(p->so_pathname, &gc));
48+ WCHAR *wpath = wide_string(p->so_pathname, &gc);
49+ WCHAR normalized_plugin_path[MAX_PATH] = {0};
50+ /* Normalize the plugin path, converting any relative paths to absolute paths. */
51+ if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL))
52+ {
53+ msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", wpath);
54+ }
55+
56+ if (!plugin_in_trusted_dir(normalized_plugin_path))
57+ {
58+ msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", normalized_plugin_path);
59+ }
60+
61+ p->module = LoadLibraryW(normalized_plugin_path);
62 if (!p->module)
63 {
64- msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s", p->so_pathname);
65+ msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls", normalized_plugin_path);
66 }
67
68 #define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags)
69diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
70index e91e742..1e61ffa 100644
71--- a/src/openvpn/win32.c
72+++ b/src/openvpn/win32.c
73@@ -1532,27 +1532,24 @@ openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const for
74 return (len >= 0 && len < size);
75 }
76
77-static BOOL
78-get_install_path(WCHAR *path, DWORD size)
79+bool
80+get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size)
81 {
82 WCHAR reg_path[256];
83- HKEY key;
84- BOOL res = FALSE;
85+ HKEY hkey;
86 openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME);
87
88- LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key);
89+ LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &hkey);
90 if (status != ERROR_SUCCESS)
91 {
92- return res;
93+ return false;
94 }
95
96- /* The default value of REG_KEY is the install path */
97- status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size);
98- res = status == ERROR_SUCCESS;
99+ status = RegGetValueW(hkey, NULL, key, RRF_RT_REG_SZ, NULL, (LPBYTE)value, &size);
100
101- RegCloseKey(key);
102+ RegCloseKey(hkey);
103
104- return res;
105+ return status == ERROR_SUCCESS;
106 }
107
108 static void
109@@ -1561,7 +1558,7 @@ set_openssl_env_vars()
110 const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32";
111
112 WCHAR install_path[MAX_PATH] = { 0 };
113- if (!get_install_path(install_path, _countof(install_path)))
114+ if (!get_openvpn_reg_value(NULL, install_path, _countof(install_path)))
115 {
116 /* if we cannot find installation path from the registry,
117 * use Windows directory as a fallback
118--
1192.40.0
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb
index b5ee31078b..810a60308b 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb
@@ -2,7 +2,7 @@ SUMMARY = "A full-featured SSL VPN solution via tun device."
2HOMEPAGE = "https://openvpn.net/" 2HOMEPAGE = "https://openvpn.net/"
3SECTION = "net" 3SECTION = "net"
4LICENSE = "GPL-2.0-only" 4LICENSE = "GPL-2.0-only"
5LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89" 5LIC_FILES_CHKSUM = "file://COPYING;md5=132de9241e3147d49dbaead12acb0b22"
6DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" 6DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
7 7
8inherit autotools systemd update-rc.d 8inherit autotools systemd update-rc.d
@@ -11,14 +11,11 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
11 file://openvpn \ 11 file://openvpn \
12 file://openvpn@.service \ 12 file://openvpn@.service \
13 file://openvpn-volatile.conf \ 13 file://openvpn-volatile.conf \
14 file://CVE-2024-24974.patch \
15 file://CVE-2024-27459.patch \
16 file://CVE-2024-27903.patch \
17 " 14 "
18 15
19UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" 16UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
20 17
21SRC_URI[sha256sum] = "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c53242ad3d" 18SRC_URI[sha256sum] = "7e2672119bd4639819d560f332a8b9b7e28f562425c77899f36d419fe4265f56"
22 19
23# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. 20# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
24CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" 21CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"