From adf635944c6a2f63b5772ceaa5411be84a9b3711 Mon Sep 17 00:00:00 2001 From: Haixiao Yan Date: Wed, 13 Nov 2024 19:08:12 +0800 Subject: openvpn: upgrade 2.5.6 -> 2.5.11 License-Update: Add Apache2 linking for new commits [1] ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.5.11/Changes.rst Security fixes: CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. [1] https://github.com/OpenVPN/openvpn/commit/4a89a55b8a9d6193957711bef74228796a185179 Signed-off-by: Haixiao Yan Signed-off-by: Armin Kuster --- .../openvpn/openvpn/CVE-2024-24974.patch | 49 --------- .../openvpn/openvpn/CVE-2024-27459.patch | 99 ----------------- .../openvpn/openvpn/CVE-2024-27903.patch | 119 --------------------- .../recipes-support/openvpn/openvpn_2.5.11.bb | 79 ++++++++++++++ .../recipes-support/openvpn/openvpn_2.5.6.bb | 82 -------------- 5 files changed, 79 insertions(+), 349 deletions(-) delete mode 100644 meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch delete mode 100644 meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch delete mode 100644 meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch create mode 100644 meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb delete mode 100644 meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch deleted file mode 100644 index b42b3040ef..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-24974.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 2c1de0f0803360c0a6408f754066bd3a6fb28237 Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Tue, 19 Mar 2024 17:16:07 +0200 -Subject: [PATCH] interactive.c: disable remote access to the service pipe - -Remote access to the service pipe is not needed and might -be a potential attack vector. - -For example, if an attacker manages to get credentials for -a user which is the member of "OpenVPN Administrators" group -on a victim machine, an attacker might be able to communicate -with the privileged interactive service on a victim machine -and start openvpn processes remotely. - -CVE: 2024-24974 - -Microsoft case number: 85925 - -Reported-by: Vladimir Tokarev -Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 -Signed-off-by: Lev Stipakov -Acked-by: Heiko Hund -Message-Id: <20240319151723.936-2-lev@openvpn.net> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html -Signed-off-by: Gert Doering - -CVE:CVE-2024-24974 -Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/2c1de0f0803360c0a6408f754066bd3a6fb28237] - -Signed-off-by: Meenali Gupta ---- - src/openvpnserv/interactive.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c -index 3b120ae..5e3ff12 100644 ---- a/src/openvpnserv/interactive.c -+++ b/src/openvpnserv/interactive.c -@@ -1994,7 +1994,7 @@ CreateClientPipeInstance(VOID) - - openvpn_sntprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%s\\service"), service_instance); - pipe = CreateNamedPipe(pipe_name, flags, -- PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, -+ PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS, - PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); - if (pipe == INVALID_HANDLE_VALUE) - { --- -2.40.0 diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch deleted file mode 100644 index d04eeb571d..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27459.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Tue, 19 Mar 2024 17:27:11 +0200 -Subject: [PATCH] interactive.c: Fix potential stack overflow issue -When reading message from the pipe, we first peek the pipe to get the size -of the message waiting to be read and then read the message. A compromised -OpenVPN process could send an excessively large message, which would result -in a stack-allocated message buffer overflow. - -To address this, we terminate the misbehaving process if the peeked message -size exceeds the maximum allowable size. - -CVE: 2024-27459 -Microsoft case number: 85932 - -Reported-by: Vladimir Tokarev -Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada -Signed-off-by: Lev Stipakov -Acked-by: Heiko Hund -Message-Id: <20240319152803.1801-2-lev@openvpn.net> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html -Signed-off-by: Gert Doering - -CVE:CVE-2024-27459 -Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/989b22cb6e007fd1addcfaf7d12f4fec9fbc9639] - -Signed-off-by: Meenali Gupta ---- - src/openvpnserv/interactive.c | 34 +++++++++++++++++++++------------- - 1 file changed, 21 insertions(+), 13 deletions(-) - -diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c -index 5e3ff12..f613b99 100644 ---- a/src/openvpnserv/interactive.c -+++ b/src/openvpnserv/interactive.c -@@ -111,6 +111,18 @@ typedef struct { - HANDLE device; - } ring_buffer_handles_t; - -+typedef union { -+ message_header_t header; -+ address_message_t address; -+ route_message_t route; -+ flush_neighbors_message_t flush_neighbors; -+ block_dns_message_t block_dns; -+ dns_cfg_message_t dns; -+ enable_dhcp_message_t dhcp; -+ register_ring_buffers_message_t rrb; -+ set_mtu_message_t mtu; -+ wins_cfg_message_t wins; -+} pipe_message_t; - - static DWORD - AddListItem(list_item_t **pfirst, LPVOID data) -@@ -1444,18 +1456,7 @@ static VOID - HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_handles, - DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) - { -- DWORD read; -- union { -- message_header_t header; -- address_message_t address; -- route_message_t route; -- flush_neighbors_message_t flush_neighbors; -- block_dns_message_t block_dns; -- dns_cfg_message_t dns; -- enable_dhcp_message_t dhcp; -- register_ring_buffers_message_t rrb; -- set_mtu_message_t mtu; -- } msg; -+ pipe_message_t msg; - ack_message_t ack = { - .header = { - .type = msg_acknowledgement, -@@ -1465,7 +1466,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_ - .error_number = ERROR_MESSAGE_DATA - }; - -- read = ReadPipeAsync(pipe, &msg, bytes, count, events); -+ DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events); - if (read != bytes || read < sizeof(msg.header) || read != msg.header.size) - { - goto out; -@@ -1884,6 +1885,13 @@ RunOpenvpn(LPVOID p) - break; - } - -+ if (bytes > sizeof(pipe_message_t)) -+ { -+ /* process at the other side of the pipe is misbehaving, shut it down */ -+ MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes); -+ break; -+ } -+ - HandleMessage(ovpn_pipe, proc_info.hProcess, &ring_buffer_handles, bytes, 1, &exit_event, &undo_lists); - } - --- -2.40.0 diff --git a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch b/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch deleted file mode 100644 index d0726ab35c..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn/CVE-2024-27903.patch +++ /dev/null @@ -1,119 +0,0 @@ -From aaea545d8a940f761898d736b68bcb067d503b1d Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Tue, 19 Mar 2024 15:53:45 +0200 -Subject: [PATCH] win32: Enforce loading of plugins from a trusted directory - -Currently, there's a risk associated with allowing plugins to be loaded from -any location. This update ensures plugins are only loaded from a trusted -directory, which is either: - - - HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing, - then HKLM\SOFTWARE\OpenVPN, which is installation directory) - - - System directory - -Loading from UNC paths is disallowed. - -Note: This change affects only Windows environments. - -CVE: 2024-27903 - -Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d -Reported-by: Vladimir Tokarev -Signed-off-by: Lev Stipakov -Acked-by: Selva Nair -Message-Id: <20240319135355.1279-2-lev@openvpn.net> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html -Signed-off-by: Gert Doering - -CVE:CVE-2024-27903 -Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/aaea545d8a940f761898d736b68bcb067d503b1d] - -Signed-off-by: Meenali Gupta ---- - src/openvpn/plugin.c | 18 +++++++++++++++--- - src/openvpn/win32.c | 21 +++++++++------------ - 2 files changed, 24 insertions(+), 15 deletions(-) - -diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c -index ed5d7c0..f7315f4 100644 ---- a/src/openvpn/plugin.c -+++ b/src/openvpn/plugin.c -@@ -279,11 +279,23 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) - - #else /* ifndef _WIN32 */ - -- rel = !platform_absolute_pathname(p->so_pathname); -- p->module = LoadLibraryW(wide_string(p->so_pathname, &gc)); -+ WCHAR *wpath = wide_string(p->so_pathname, &gc); -+ WCHAR normalized_plugin_path[MAX_PATH] = {0}; -+ /* Normalize the plugin path, converting any relative paths to absolute paths. */ -+ if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL)) -+ { -+ msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", wpath); -+ } -+ -+ if (!plugin_in_trusted_dir(normalized_plugin_path)) -+ { -+ msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", normalized_plugin_path); -+ } -+ -+ p->module = LoadLibraryW(normalized_plugin_path); - if (!p->module) - { -- msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s", p->so_pathname); -+ msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls", normalized_plugin_path); - } - - #define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags) -diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c -index e91e742..1e61ffa 100644 ---- a/src/openvpn/win32.c -+++ b/src/openvpn/win32.c -@@ -1532,27 +1532,24 @@ openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const for - return (len >= 0 && len < size); - } - --static BOOL --get_install_path(WCHAR *path, DWORD size) -+bool -+get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size) - { - WCHAR reg_path[256]; -- HKEY key; -- BOOL res = FALSE; -+ HKEY hkey; - openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME); - -- LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key); -+ LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &hkey); - if (status != ERROR_SUCCESS) - { -- return res; -+ return false; - } - -- /* The default value of REG_KEY is the install path */ -- status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size); -- res = status == ERROR_SUCCESS; -+ status = RegGetValueW(hkey, NULL, key, RRF_RT_REG_SZ, NULL, (LPBYTE)value, &size); - -- RegCloseKey(key); -+ RegCloseKey(hkey); - -- return res; -+ return status == ERROR_SUCCESS; - } - - static void -@@ -1561,7 +1558,7 @@ set_openssl_env_vars() - const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32"; - - WCHAR install_path[MAX_PATH] = { 0 }; -- if (!get_install_path(install_path, _countof(install_path))) -+ if (!get_openvpn_reg_value(NULL, install_path, _countof(install_path))) - { - /* if we cannot find installation path from the registry, - * use Windows directory as a fallback --- -2.40.0 diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb new file mode 100644 index 0000000000..810a60308b --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb @@ -0,0 +1,79 @@ +SUMMARY = "A full-featured SSL VPN solution via tun device." +HOMEPAGE = "https://openvpn.net/" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=132de9241e3147d49dbaead12acb0b22" +DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +inherit autotools systemd update-rc.d + +SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ + file://openvpn \ + file://openvpn@.service \ + file://openvpn-volatile.conf \ + " + +UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" + +SRC_URI[sha256sum] = "7e2672119bd4639819d560f332a8b9b7e28f562425c77899f36d419fe4265f56" + +# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. +CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" + +# CVE-2023-7235 is specific to Windows platform +CVE_CHECK_IGNORE += "CVE-2023-7235" + +SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" +SYSTEMD_AUTO_ENABLE = "disable" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME:${PN} = "openvpn" +INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." + +CFLAGS += "-fno-inline" + +# I want openvpn to be able to read password from file (hrw) +EXTRA_OECONF += "--enable-iproute2" +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" + +# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. +EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" + +do_install:append() { + install -d ${D}/${sysconfdir}/init.d + install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d + + install -d ${D}/${sysconfdir}/openvpn + install -d ${D}/${sysconfdir}/openvpn/sample + install -m 755 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf + install -m 755 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys + install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}/${systemd_unitdir}/system + install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system + install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-server.service + install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-client.service + + install -d ${D}/${localstatedir} + install -d ${D}/${localstatedir}/lib + install -d -m 710 ${D}/${localstatedir}/lib/openvpn + + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/openvpn-volatile.conf ${D}${sysconfdir}/tmpfiles.d/openvpn.conf + sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${sysconfdir}/tmpfiles.d/openvpn.conf + fi +} + +PACKAGES =+ " ${PN}-sample " + +RRECOMMENDS:${PN} = "kernel-module-tun" + +FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" +FILES:${PN} += "${systemd_unitdir}/system/openvpn@.service \ + ${sysconfdir}/tmpfiles.d \ + " +FILES:${PN}-sample += "${systemd_unitdir}/system/openvpn@loopback-server.service \ + ${systemd_unitdir}/system/openvpn@loopback-client.service \ + ${sysconfdir}/openvpn/sample/" diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb deleted file mode 100644 index b5ee31078b..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb +++ /dev/null @@ -1,82 +0,0 @@ -SUMMARY = "A full-featured SSL VPN solution via tun device." -HOMEPAGE = "https://openvpn.net/" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89" -DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -inherit autotools systemd update-rc.d - -SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ - file://openvpn \ - file://openvpn@.service \ - file://openvpn-volatile.conf \ - file://CVE-2024-24974.patch \ - file://CVE-2024-27459.patch \ - file://CVE-2024-27903.patch \ - " - -UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" - -SRC_URI[sha256sum] = "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c53242ad3d" - -# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. -CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" - -# CVE-2023-7235 is specific to Windows platform -CVE_CHECK_IGNORE += "CVE-2023-7235" - -SYSTEMD_SERVICE:${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" -SYSTEMD_AUTO_ENABLE = "disable" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME:${PN} = "openvpn" -INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." - -CFLAGS += "-fno-inline" - -# I want openvpn to be able to read password from file (hrw) -EXTRA_OECONF += "--enable-iproute2" -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" - -# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. -EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" - -do_install:append() { - install -d ${D}/${sysconfdir}/init.d - install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d - - install -d ${D}/${sysconfdir}/openvpn - install -d ${D}/${sysconfdir}/openvpn/sample - install -m 755 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf - install -m 755 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys - install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-server.service - install -m 644 ${WORKDIR}/openvpn@.service ${D}/${systemd_unitdir}/system/openvpn@loopback-client.service - - install -d ${D}/${localstatedir} - install -d ${D}/${localstatedir}/lib - install -d -m 710 ${D}/${localstatedir}/lib/openvpn - - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/openvpn-volatile.conf ${D}${sysconfdir}/tmpfiles.d/openvpn.conf - sed -i -e 's#@LOCALSTATEDIR@#${localstatedir}#g' ${D}${sysconfdir}/tmpfiles.d/openvpn.conf - fi -} - -PACKAGES =+ " ${PN}-sample " - -RRECOMMENDS:${PN} = "kernel-module-tun" - -FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" -FILES:${PN} += "${systemd_unitdir}/system/openvpn@.service \ - ${sysconfdir}/tmpfiles.d \ - " -FILES:${PN}-sample += "${systemd_unitdir}/system/openvpn@loopback-server.service \ - ${systemd_unitdir}/system/openvpn@loopback-client.service \ - ${sysconfdir}/openvpn/sample/" -- cgit v1.2.3-54-g00ecf