diff options
author | Haixiao Yan <haixiao.yan.cn@windriver.com> | 2024-11-13 19:08:12 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-12-08 14:39:17 -0500 |
commit | adf635944c6a2f63b5772ceaa5411be84a9b3711 (patch) | |
tree | c1c2fe10da4da41d86aab1098b03b6a745e8dc28 | |
parent | 2d6512b422b691f26a7a77ba564862ee2ff74fc5 (diff) | |
download | meta-openembedded-adf635944c6a2f63b5772ceaa5411be84a9b3711.tar.gz |
openvpn: upgrade 2.5.6 -> 2.5.11
License-Update: Add Apache2 linking for new commits [1]
ChangeLog:
https://github.com/OpenVPN/openvpn/blob/v2.5.11/Changes.rst
Security fixes:
CVE-2024-5594: control channel: refuse control channel messages with
nonprintable characters in them.
Security scope: a malicious openvpn peer can send garbage to openvpn
log, or cause high CPU load.
[1] https://github.com/OpenVPN/openvpn/commit/4a89a55b8a9d6193957711bef74228796a185179
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch | 49 | ||||
-rw-r--r-- | meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch | 99 | ||||
-rw-r--r-- | meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch | 119 | ||||
-rw-r--r-- | meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb (renamed from meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb) | 7 |
4 files changed, 2 insertions, 272 deletions
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch deleted file mode 100644 index b42b3040ef..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | From 2c1de0f0803360c0a6408f754066bd3a6fb28237 Mon Sep 17 00:00:00 2001 | ||
2 | From: Lev Stipakov <lstipakov@gmail.com> | ||
3 | Date: Tue, 19 Mar 2024 17:16:07 +0200 | ||
4 | Subject: [PATCH] interactive.c: disable remote access to the service pipe | ||
5 | |||
6 | Remote access to the service pipe is not needed and might | ||
7 | be a potential attack vector. | ||
8 | |||
9 | For example, if an attacker manages to get credentials for | ||
10 | a user which is the member of "OpenVPN Administrators" group | ||
11 | on a victim machine, an attacker might be able to communicate | ||
12 | with the privileged interactive service on a victim machine | ||
13 | and start openvpn processes remotely. | ||
14 | |||
15 | CVE: 2024-24974 | ||
16 | |||
17 | Microsoft case number: 85925 | ||
18 | |||
19 | Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> | ||
20 | Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 | ||
21 | Signed-off-by: Lev Stipakov <lev@openvpn.net> | ||
22 | Acked-by: Heiko Hund <heiko@openvpn.net> | ||
23 | Message-Id: <20240319151723.936-2-lev@openvpn.net> | ||
24 | URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html | ||
25 | Signed-off-by: Gert Doering <gert@greenie.muc.de> | ||
26 | |||
27 | CVE:CVE-2024-24974 | ||
28 | Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/2c1de0f0803360c0a6408f754066bd3a6fb28237] | ||
29 | |||
30 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
31 | --- | ||
32 | src/openvpnserv/interactive.c | 2 +- | ||
33 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
34 | |||
35 | diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c | ||
36 | index 3b120ae..5e3ff12 100644 | ||
37 | --- a/src/openvpnserv/interactive.c | ||
38 | +++ b/src/openvpnserv/interactive.c | ||
39 | @@ -1994,7 +1994,7 @@ CreateClientPipeInstance(VOID) | ||
40 | |||
41 | openvpn_sntprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%s\\service"), service_instance); | ||
42 | pipe = CreateNamedPipe(pipe_name, flags, | ||
43 | - PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, | ||
44 | + PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, | ||
45 | PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); | ||
46 | if (pipe == INVALID_HANDLE_VALUE) | ||
47 | { | ||
48 | -- | ||
49 | 2.40.0 | ||
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch deleted file mode 100644 index d04eeb571d..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | From 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 Mon Sep 17 00:00:00 2001 | ||
2 | From: Lev Stipakov <lstipakov@gmail.com> | ||
3 | Date: Tue, 19 Mar 2024 17:27:11 +0200 | ||
4 | Subject: [PATCH] interactive.c: Fix potential stack overflow issue | ||
5 | When reading message from the pipe, we first peek the pipe to get the size | ||
6 | of the message waiting to be read and then read the message. A compromised | ||
7 | OpenVPN process could send an excessively large message, which would result | ||
8 | in a stack-allocated message buffer overflow. | ||
9 | |||
10 | To address this, we terminate the misbehaving process if the peeked message | ||
11 | size exceeds the maximum allowable size. | ||
12 | |||
13 | CVE: 2024-27459 | ||
14 | Microsoft case number: 85932 | ||
15 | |||
16 | Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> | ||
17 | Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada | ||
18 | Signed-off-by: Lev Stipakov <lev@openvpn.net> | ||
19 | Acked-by: Heiko Hund <heiko@openvpn.net> | ||
20 | Message-Id: <20240319152803.1801-2-lev@openvpn.net> | ||
21 | URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html | ||
22 | Signed-off-by: Gert Doering <gert@greenie.muc.de> | ||
23 | |||
24 | CVE:CVE-2024-27459 | ||
25 | Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/989b22cb6e007fd1addcfaf7d12f4fec9fbc9639] | ||
26 | |||
27 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
28 | --- | ||
29 | src/openvpnserv/interactive.c | 34 +++++++++++++++++++++------------- | ||
30 | 1 file changed, 21 insertions(+), 13 deletions(-) | ||
31 | |||
32 | diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c | ||
33 | index 5e3ff12..f613b99 100644 | ||
34 | --- a/src/openvpnserv/interactive.c | ||
35 | +++ b/src/openvpnserv/interactive.c | ||
36 | @@ -111,6 +111,18 @@ typedef struct { | ||
37 | HANDLE device; | ||
38 | } ring_buffer_handles_t; | ||
39 | |||
40 | +typedef union { | ||
41 | + message_header_t header; | ||
42 | + address_message_t address; | ||
43 | + route_message_t route; | ||
44 | + flush_neighbors_message_t flush_neighbors; | ||
45 | + block_dns_message_t block_dns; | ||
46 | + dns_cfg_message_t dns; | ||
47 | + enable_dhcp_message_t dhcp; | ||
48 | + register_ring_buffers_message_t rrb; | ||
49 | + set_mtu_message_t mtu; | ||
50 | + wins_cfg_message_t wins; | ||
51 | +} pipe_message_t; | ||
52 | |||
53 | static DWORD | ||
54 | AddListItem(list_item_t **pfirst, LPVOID data) | ||
55 | @@ -1444,18 +1456,7 @@ static VOID | ||
56 | HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_handles, | ||
57 | DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) | ||
58 | { | ||
59 | - DWORD read; | ||
60 | - union { | ||
61 | - message_header_t header; | ||
62 | - address_message_t address; | ||
63 | - route_message_t route; | ||
64 | - flush_neighbors_message_t flush_neighbors; | ||
65 | - block_dns_message_t block_dns; | ||
66 | - dns_cfg_message_t dns; | ||
67 | - enable_dhcp_message_t dhcp; | ||
68 | - register_ring_buffers_message_t rrb; | ||
69 | - set_mtu_message_t mtu; | ||
70 | - } msg; | ||
71 | + pipe_message_t msg; | ||
72 | ack_message_t ack = { | ||
73 | .header = { | ||
74 | .type = msg_acknowledgement, | ||
75 | @@ -1465,7 +1466,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_ | ||
76 | .error_number = ERROR_MESSAGE_DATA | ||
77 | }; | ||
78 | |||
79 | - read = ReadPipeAsync(pipe, &msg, bytes, count, events); | ||
80 | + DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events); | ||
81 | if (read != bytes || read < sizeof(msg.header) || read != msg.header.size) | ||
82 | { | ||
83 | goto out; | ||
84 | @@ -1884,6 +1885,13 @@ RunOpenvpn(LPVOID p) | ||
85 | break; | ||
86 | } | ||
87 | |||
88 | + if (bytes > sizeof(pipe_message_t)) | ||
89 | + { | ||
90 | + /* process at the other side of the pipe is misbehaving, shut it down */ | ||
91 | + MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes); | ||
92 | + break; | ||
93 | + } | ||
94 | + | ||
95 | HandleMessage(ovpn_pipe, proc_info.hProcess, &ring_buffer_handles, bytes, 1, &exit_event, &undo_lists); | ||
96 | } | ||
97 | |||
98 | -- | ||
99 | 2.40.0 | ||
diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch deleted file mode 100644 index d0726ab35c..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch +++ /dev/null | |||
@@ -1,119 +0,0 @@ | |||
1 | From aaea545d8a940f761898d736b68bcb067d503b1d Mon Sep 17 00:00:00 2001 | ||
2 | From: Lev Stipakov <lstipakov@gmail.com> | ||
3 | Date: Tue, 19 Mar 2024 15:53:45 +0200 | ||
4 | Subject: [PATCH] win32: Enforce loading of plugins from a trusted directory | ||
5 | |||
6 | Currently, there's a risk associated with allowing plugins to be loaded from | ||
7 | any location. This update ensures plugins are only loaded from a trusted | ||
8 | directory, which is either: | ||
9 | |||
10 | - HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing, | ||
11 | then HKLM\SOFTWARE\OpenVPN, which is installation directory) | ||
12 | |||
13 | - System directory | ||
14 | |||
15 | Loading from UNC paths is disallowed. | ||
16 | |||
17 | Note: This change affects only Windows environments. | ||
18 | |||
19 | CVE: 2024-27903 | ||
20 | |||
21 | Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d | ||
22 | Reported-by: Vladimir Tokarev <vtokarev@microsoft.com> | ||
23 | Signed-off-by: Lev Stipakov <lev@openvpn.net> | ||
24 | Acked-by: Selva Nair <selva.nair@gmail.com> | ||
25 | Message-Id: <20240319135355.1279-2-lev@openvpn.net> | ||
26 | URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html | ||
27 | Signed-off-by: Gert Doering <gert@greenie.muc.de> | ||
28 | |||
29 | CVE:CVE-2024-27903 | ||
30 | Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/aaea545d8a940f761898d736b68bcb067d503b1d] | ||
31 | |||
32 | Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> | ||
33 | --- | ||
34 | src/openvpn/plugin.c | 18 +++++++++++++++--- | ||
35 | src/openvpn/win32.c | 21 +++++++++------------ | ||
36 | 2 files changed, 24 insertions(+), 15 deletions(-) | ||
37 | |||
38 | diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c | ||
39 | index ed5d7c0..f7315f4 100644 | ||
40 | --- a/src/openvpn/plugin.c | ||
41 | +++ b/src/openvpn/plugin.c | ||
42 | @@ -279,11 +279,23 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) | ||
43 | |||
44 | #else /* ifndef _WIN32 */ | ||
45 | |||
46 | - rel = !platform_absolute_pathname(p->so_pathname); | ||
47 | - p->module = LoadLibraryW(wide_string(p->so_pathname, &gc)); | ||
48 | + WCHAR *wpath = wide_string(p->so_pathname, &gc); | ||
49 | + WCHAR normalized_plugin_path[MAX_PATH] = {0}; | ||
50 | + /* Normalize the plugin path, converting any relative paths to absolute paths. */ | ||
51 | + if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL)) | ||
52 | + { | ||
53 | + msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", wpath); | ||
54 | + } | ||
55 | + | ||
56 | + if (!plugin_in_trusted_dir(normalized_plugin_path)) | ||
57 | + { | ||
58 | + msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", normalized_plugin_path); | ||
59 | + } | ||
60 | + | ||
61 | + p->module = LoadLibraryW(normalized_plugin_path); | ||
62 | if (!p->module) | ||
63 | { | ||
64 | - msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s", p->so_pathname); | ||
65 | + msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls", normalized_plugin_path); | ||
66 | } | ||
67 | |||
68 | #define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags) | ||
69 | diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c | ||
70 | index e91e742..1e61ffa 100644 | ||
71 | --- a/src/openvpn/win32.c | ||
72 | +++ b/src/openvpn/win32.c | ||
73 | @@ -1532,27 +1532,24 @@ openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const for | ||
74 | return (len >= 0 && len < size); | ||
75 | } | ||
76 | |||
77 | -static BOOL | ||
78 | -get_install_path(WCHAR *path, DWORD size) | ||
79 | +bool | ||
80 | +get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size) | ||
81 | { | ||
82 | WCHAR reg_path[256]; | ||
83 | - HKEY key; | ||
84 | - BOOL res = FALSE; | ||
85 | + HKEY hkey; | ||
86 | openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME); | ||
87 | |||
88 | - LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key); | ||
89 | + LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &hkey); | ||
90 | if (status != ERROR_SUCCESS) | ||
91 | { | ||
92 | - return res; | ||
93 | + return false; | ||
94 | } | ||
95 | |||
96 | - /* The default value of REG_KEY is the install path */ | ||
97 | - status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size); | ||
98 | - res = status == ERROR_SUCCESS; | ||
99 | + status = RegGetValueW(hkey, NULL, key, RRF_RT_REG_SZ, NULL, (LPBYTE)value, &size); | ||
100 | |||
101 | - RegCloseKey(key); | ||
102 | + RegCloseKey(hkey); | ||
103 | |||
104 | - return res; | ||
105 | + return status == ERROR_SUCCESS; | ||
106 | } | ||
107 | |||
108 | static void | ||
109 | @@ -1561,7 +1558,7 @@ set_openssl_env_vars() | ||
110 | const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32"; | ||
111 | |||
112 | WCHAR install_path[MAX_PATH] = { 0 }; | ||
113 | - if (!get_install_path(install_path, _countof(install_path))) | ||
114 | + if (!get_openvpn_reg_value(NULL, install_path, _countof(install_path))) | ||
115 | { | ||
116 | /* if we cannot find installation path from the registry, | ||
117 | * use Windows directory as a fallback | ||
118 | -- | ||
119 | 2.40.0 | ||
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb index b5ee31078b..810a60308b 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb | |||
@@ -2,7 +2,7 @@ SUMMARY = "A full-featured SSL VPN solution via tun device." | |||
2 | HOMEPAGE = "https://openvpn.net/" | 2 | HOMEPAGE = "https://openvpn.net/" |
3 | SECTION = "net" | 3 | SECTION = "net" |
4 | LICENSE = "GPL-2.0-only" | 4 | LICENSE = "GPL-2.0-only" |
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=132de9241e3147d49dbaead12acb0b22" |
6 | DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | 6 | DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" |
7 | 7 | ||
8 | inherit autotools systemd update-rc.d | 8 | inherit autotools systemd update-rc.d |
@@ -11,14 +11,11 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ | |||
11 | file://openvpn \ | 11 | file://openvpn \ |
12 | file://openvpn@.service \ | 12 | file://openvpn@.service \ |
13 | file://openvpn-volatile.conf \ | 13 | file://openvpn-volatile.conf \ |
14 | file://CVE-2024-24974.patch \ | ||
15 | file://CVE-2024-27459.patch \ | ||
16 | file://CVE-2024-27903.patch \ | ||
17 | " | 14 | " |
18 | 15 | ||
19 | UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" | 16 | UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" |
20 | 17 | ||
21 | SRC_URI[sha256sum] = "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c53242ad3d" | 18 | SRC_URI[sha256sum] = "7e2672119bd4639819d560f332a8b9b7e28f562425c77899f36d419fe4265f56" |
22 | 19 | ||
23 | # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. | 20 | # CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. |
24 | CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" | 21 | CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" |