From 3d234d9a1276255911c9eb41315e7251d62ac2c7 Mon Sep 17 00:00:00 2001 From: Haixiao Yan Date: Mon, 11 Nov 2024 14:41:19 +0800 Subject: openvpn: upgrade 2.6.10 -> 2.6.12 ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.12/Changes.rst Security fixes: CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client. Signed-off-by: Haixiao Yan [Drop CVE-2024-28882 patch not yet in stable] Signed-off-by: Armin Kuster --- .../openvpn/openvpn/CVE-2024-28882.patch | 144 --------------------- .../recipes-support/openvpn/openvpn_2.6.10.bb | 77 ----------- .../recipes-support/openvpn/openvpn_2.6.12.bb | 76 +++++++++++ 3 files changed, 76 insertions(+), 221 deletions(-) delete mode 100644 meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch delete mode 100644 meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb create mode 100644 meta-networking/recipes-support/openvpn/openvpn_2.6.12.bb diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch deleted file mode 100644 index 0b016c89e2..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-28882.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 6b0859f669729f4fd328d80bc5c7b4dbbdbf0280 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= -Date: Thu, 16 May 2024 13:58:08 +0200 -Subject: [PATCH] Only schedule_exit() once -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If an exit has already been scheduled we should not schedule it again. -Otherwise, the exit signal is never emitted if the peer reschedules the -exit before the timeout occurs. - -schedule_exit() now only takes the context as argument. The signal is -hard coded to SIGTERM, and the interval is read directly from the -context options. - -Furthermore, schedule_exit() now returns a bool signifying whether an -exit was scheduled; false if exit is already scheduled. The call sites -are updated accordingly. A notable difference is that management is only -notified *once* when an exit is scheduled - we no longer notify -management on redundant exit. - -This patch was assigned a CVE number after already reviewed and ACKed, -because it was discovered that a misbehaving client can use the (now -fixed) server behaviour to avoid being disconnected by means of a -managment interface "client-kill" command - the security issue here is -"client can circumvent security policy set by management interface". - -This only affects previously authenticated clients, and only management -client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not -affected. - -CVE: 2024-28882 - -Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661 -Signed-off-by: Reynir Björnsson -Acked-by: Arne Schwabe -Message-Id: <20240516120434.23499-1-gert@greenie.muc.de> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html -Signed-off-by: Gert Doering - -CVE: CVE-2024-28882 -Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/55bb3260c12bae33b6a8eac73cbb6972f8517411] - -Signed-off-by: Haixiao Yan ---- - src/openvpn/forward.c | 15 +++++++++++---- - src/openvpn/forward.h | 2 +- - src/openvpn/push.c | 12 +++++++----- - 3 files changed, 19 insertions(+), 10 deletions(-) - -diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c -index e9811b9c81de..29e812ffd17d 100644 ---- a/src/openvpn/forward.c -+++ b/src/openvpn/forward.c -@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context *c) - } - - /* -- * Schedule a signal n_seconds from now. -+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now. - */ --void --schedule_exit(struct context *c, const int n_seconds, const int signal) -+bool -+schedule_exit(struct context *c) - { -+ const int n_seconds = c->options.scheduled_exit_interval; -+ /* don't reschedule if already scheduled. */ -+ if (event_timeout_defined(&c->c2.scheduled_exit)) -+ { -+ return false; -+ } - tls_set_single_session(c->c2.tls_multi); - update_time(); - reset_coarse_timers(c); - event_timeout_init(&c->c2.scheduled_exit, n_seconds, now); -- c->c2.scheduled_exit_signal = signal; -+ c->c2.scheduled_exit_signal = SIGTERM; - msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); -+ return true; - } - - /* -diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h -index 060fc374ca60..245a80292112 100644 ---- a/src/openvpn/forward.h -+++ b/src/openvpn/forward.h -@@ -302,7 +302,7 @@ void reschedule_multi_process(struct context *c); - - void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); - --void schedule_exit(struct context *c, const int n_seconds, const int signal); -+bool schedule_exit(struct context *c); - - static inline struct link_socket_info * - get_link_socket_info(struct context *c) -diff --git a/src/openvpn/push.c b/src/openvpn/push.c -index 1b406b9c5311..d220eeb97442 100644 ---- a/src/openvpn/push.c -+++ b/src/openvpn/push.c -@@ -204,7 +204,11 @@ receive_exit_message(struct context *c) - * */ - if (c->options.mode == MODE_SERVER) - { -- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); -+ if (!schedule_exit(c)) -+ { -+ /* Return early when we don't need to notify management */ -+ return; -+ } - } - else - { -@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5))) - void - send_auth_failed(struct context *c, const char *client_reason) - { -- if (event_timeout_defined(&c->c2.scheduled_exit)) -+ if (!schedule_exit(c)) - { - msg(D_TLS_DEBUG, "exit already scheduled for context"); - return; -@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, const char *client_reason) - static const char auth_failed[] = "AUTH_FAILED"; - size_t len; - -- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); -- - len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); - if (len > PUSH_BUNDLE_SIZE) - { -@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi, - void - send_restart(struct context *c, const char *kill_msg) - { -- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); -+ schedule_exit(c); - send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH); - } - --- -2.34.1 - diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb deleted file mode 100644 index 9b551d3ca2..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn_2.6.10.bb +++ /dev/null @@ -1,77 +0,0 @@ -SUMMARY = "A full-featured SSL VPN solution via tun device." -HOMEPAGE = "https://openvpn.net/" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=89196bacc47ed37a5b242a535661a049" -DEPENDS = "lzo lz4 openssl iproute2 libcap-ng ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -inherit autotools systemd update-rc.d pkgconfig - -SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ - file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ - file://openvpn \ - file://CVE-2024-28882.patch \ - " - -UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" - -SRC_URI[sha256sum] = "1993bbb7b9edb430626eaa24573f881fd3df642f427fcb824b1aed1fca1bcc9b" - -CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME:${PN} = "openvpn" -INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." - -CFLAGS += "-fno-inline" - -# I want openvpn to be able to read password from file (hrw) -EXTRA_OECONF += "--enable-iproute2" -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" - -# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. -EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" - -EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ - TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ - " - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ - ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - " - -PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" - -do_install:append() { - install -d ${D}/${sysconfdir}/init.d - install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d - - install -d ${D}/${sysconfdir}/openvpn - install -d ${D}/${sysconfdir}/openvpn/server - install -d ${D}/${sysconfdir}/openvpn/client - - install -d ${D}/${sysconfdir}/openvpn/sample - install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf - install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts - install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files - install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys - install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts - - install -d -m 710 ${D}/${localstatedir}/lib/openvpn -} - -PACKAGES =+ " ${PN}-sample " - -RRECOMMENDS:${PN} = "kernel-module-tun" - -FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" -FILES:${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ - ${systemd_system_unitdir}/openvpn-client@.service \ - ${nonarch_libdir}/tmpfiles.d \ - " -FILES:${PN}-sample = "${sysconfdir}/openvpn/sample/ \ - " diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.12.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.12.bb new file mode 100644 index 0000000000..af237280ea --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.12.bb @@ -0,0 +1,76 @@ +SUMMARY = "A full-featured SSL VPN solution via tun device." +HOMEPAGE = "https://openvpn.net/" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=89196bacc47ed37a5b242a535661a049" +DEPENDS = "lzo lz4 openssl iproute2 libcap-ng ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +inherit autotools systemd update-rc.d pkgconfig + +SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ + file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ + file://openvpn \ + " + +UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" + +SRC_URI[sha256sum] = "1c610fddeb686e34f1367c347e027e418e07523a10f4d8ce4a2c2af2f61a1929" + +CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME:${PN} = "openvpn" +INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." + +CFLAGS += "-fno-inline" + +# I want openvpn to be able to read password from file (hrw) +EXTRA_OECONF += "--enable-iproute2" +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" + +# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. +EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" + +EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ + " + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + " + +PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" + +do_install:append() { + install -d ${D}/${sysconfdir}/init.d + install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d + + install -d ${D}/${sysconfdir}/openvpn + install -d ${D}/${sysconfdir}/openvpn/server + install -d ${D}/${sysconfdir}/openvpn/client + + install -d ${D}/${sysconfdir}/openvpn/sample + install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf + install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts + install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files + install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys + install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts + + install -d -m 710 ${D}/${localstatedir}/lib/openvpn +} + +PACKAGES =+ " ${PN}-sample " + +RRECOMMENDS:${PN} = "kernel-module-tun" + +FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" +FILES:${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ + ${systemd_system_unitdir}/openvpn-client@.service \ + ${nonarch_libdir}/tmpfiles.d \ + " +FILES:${PN}-sample = "${sysconfdir}/openvpn/sample/ \ + " -- cgit v1.2.3-54-g00ecf