Sync from SUSE:ALP:Source:Standard:1.0 openvpn revision bc595152db72443ed8e330ce4c304d05

2024-11-28 14:09:15 +01:00 · 2024-11-28 14:09:15 +01:00 · 8966d95fb3
commit 8966d95fb3
parent c2c0694a41
3 changed files with 95 additions and 0 deletions
--- a/openvpn-CVE-2024-28882.patch
+++ b/openvpn-CVE-2024-28882.patch
@ -0,0 +1,86 @@
+diff -Naurp openvpn-2.6.8.orig/src/openvpn/forward.c openvpn-2.6.8/src/openvpn/forward.c
+--- openvpn-2.6.8.orig/src/openvpn/forward.c	2024-09-23 10:31:44.836982086 +0200
+++ openvpn-2.6.8/src/openvpn/forward.c	2024-09-24 10:41:00.852046745 +0200
+@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context
+ }
+ 
+ /*
+- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
+  */
+-void
+-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
+ {
+    const int n_seconds = c->options.scheduled_exit_interval;
+    /* don't reschedule if already scheduled. */
+    if (event_timeout_defined(&c->c2.scheduled_exit))
+    {
+        return false;
+    }
+     tls_set_single_session(c->c2.tls_multi);
+     update_time();
+     reset_coarse_timers(c);
+     event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
+-    c->c2.scheduled_exit_signal = signal;
+    c->c2.scheduled_exit_signal = SIGTERM;
+     msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+    return true;
+ }
+ 
+ /*
+diff -Naurp openvpn-2.6.8.orig/src/openvpn/forward.h openvpn-2.6.8/src/openvpn/forward.h
+--- openvpn-2.6.8.orig/src/openvpn/forward.h	2024-09-23 10:31:44.836982086 +0200
+++ openvpn-2.6.8/src/openvpn/forward.h	2024-09-24 07:37:34.719661373 +0200
+@@ -302,7 +302,7 @@ void reschedule_multi_process(struct con
+ 
+ void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
+ 
+-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);
+ 
+ static inline struct link_socket_info *
+ get_link_socket_info(struct context *c)
+diff -Naurp openvpn-2.6.8.orig/src/openvpn/push.c openvpn-2.6.8/src/openvpn/push.c
+--- openvpn-2.6.8.orig/src/openvpn/push.c	2024-09-23 10:31:44.840315468 +0200
+++ openvpn-2.6.8/src/openvpn/push.c	2024-09-24 08:08:37.713179385 +0200
+@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
+      * */
+     if (c->options.mode == MODE_SERVER)
+     {
+-        schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+	if(!schedule_exit(c))
+	{
+	   /*Return early when we don't need to notify management */
+	   return;
+	}
+     }
+     else
+     {
+@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)
+ void
+ send_auth_failed(struct context *c, const char *client_reason)
+ {
+-    if (event_timeout_defined(&c->c2.scheduled_exit))
+    if (!schedule_exit(c))
+     {
+         msg(D_TLS_DEBUG, "exit already scheduled for context");
+         return;
+@@ -401,7 +405,6 @@ send_auth_failed(struct context *c, cons
+     static const char auth_failed[] = "AUTH_FAILED";
+     size_t len;
+ 
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+ 
+     len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
+     if (len > PUSH_BUNDLE_SIZE)
+@@ -492,7 +495,7 @@ send_auth_pending_messages(struct tls_mu
+ void
+ send_restart(struct context *c, const char *kill_msg)
+ {
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+    schedule_exit(c);
+     send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
+ }
+ 
--- a/openvpn.changes
+++ b/openvpn.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Sep 24 08:31:15 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
+
+- Add openvpn-CVE-2024-28882:Fix multiple exit notifications from authenticated 
+  clients will extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
+  Patchname: openvpn-CVE-2024-28882.patch
+
 -------------------------------------------------------------------
 Mon Nov 20 07:15:13 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>

--- a/openvpn.spec
+++ b/openvpn.spec
@ -37,6 +37,7 @@ Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
+Patch2:         openvpn-CVE-2024-28882.patch
 BuildRequires:  iproute2
 BuildRequires:  libcap-ng-devel
 BuildRequires:  liblz4-devel
@ -118,6 +119,7 @@ This package provides the header file to build external plugins.
 %prep
 %setup -q
 %patch1
+%patch2 -p1

 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
    -i src/openvpn/options.c