Sync from SUSE:SLFO:Main openvpn revision 404a02d128110f8f42924b22cc6952bb

2025-04-25 21:29:20 +02:00
9 changed files with 785 additions and 1540 deletions
--- a/openvpn-2.6.10.tar.gz
+++ b/openvpn-2.6.10.tar.gz
--- a/openvpn-2.6.10.tar.gz.asc
+++ b/openvpn-2.6.10.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmX6sakACgkQQdIJZcLo
+LcemTxAA5fwUDLHWQjE9Mf86NZbRup6aSo5S751pou/bcVYWQVbYqjFJIgdJEY7r
+HS4cKlOmJ74S5SqALwqmD4lqUP1LfGocvHUR1ACXppm/rtebWa3upRRI3/svBhp2
+6IqQjW0gkiDib56mKn2RFkyLkUiWpBOW15gqe/NgRjoVlIaCCQuvZhii8fAHMHzS
+HeJrTmdmbINTyVr6Ag4hZS+rKivVXR3j8z2YTuTwH1NPmCuclyoODRSv7rL3A1tU
+wiol0go/aLaDXx1EEnGtHrPtWjA6Gti1pDbteQBKn4Q9v2svuhFncyeux0R9a2Jk
+FLWXLZGI5JOQOTvuIrRnGBuUCpbhJalHQHtgKgNzhIqfToHfIYgc+2gQYSh4pDYi
+rZVMdws9lNqWctSLAeyCyojpYGiL3YU4tnORGzsqypszzznk/JtlkTb6rjGxrh3w
+Ejg5rE7cwgNstGqEaHihJaHG7mnnazZ9US3J1DFcg9NgpDD2Y7Gate6E2GEtmSFg
+BoLUK1tRRl9GayEc8mKN+ThzcW9U1YOzMdZTIRQX9ToaqHdMdpeOGV1+dwYqMT+e
+dYrmEO1COqvfp5Qxk+Q+fFBvUluMM7PQ1w0ncyTRn7jdlxdDu4XB9CfBP5fvXvwl
+teabifAm0iglOeCEYdUWtgYSkvebu1FaIhh1w3I1uQwrKOF7ZXM=
+=6sO3
+-----END PGP SIGNATURE-----
--- a/openvpn-2.6.14.tar.gz
+++ b/openvpn-2.6.14.tar.gz
--- a/openvpn-2.6.14.tar.gz.asc
+++ b/openvpn-2.6.14.tar.gz.asc
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEV+lQSddqo5p0Q5YDUzpoYFKfI8UFAmftKAQACgkQUzpoYFKf
-I8U6jBAAkE9eRWgXki+826vZtyGNR1WgFrtX6dd3mBd9A9fv+ygWRkuNhDo3OHYj
-XGHcgAYjNI+ueOgS0UlVnJE+1P8YCcqNjhakyWO2XhwJwAIydgsMjDrSkefwY4zC
-k1OqGK+DAueaAMISFh91MON1HSOAfa4zPB2PvqZ1u5uIFHL+f4Hh2hHj74YV7X+I
-rr7jED5XGjvWy2H60JEeZlpNj+jzydz2yWvoZCab4Ae71CDE5GU2q2qt+HsQpdlo
-7tzlic97X9pqXN540MDb2pZoxmt+8uTtZn9UOAJ02IbjZRaNf2hmpgfJd6Xh1Wke
-m9loEuhjjVDZfO78Tx9a9uLloEQgxYmhftunc7gZbXcBhCrgtrhPNawff7XIA2Qw
-fVmJxJejaSG9YL0ecVI4Ef2GY5yxB11gOVIjQMuNLeBRsvd7r3n/Mn0J+3qtobyT
-Wr1A4auv+HpeCRwias+OeMmYezCjTsrkq3VLy85r7+KW5kb82b4IjEZkRqJhVxbn
-KXvHNhUBNnZ8SfYp5Fb1r+458bZ5nBG/KXexqS0Twe+VQGe70x/p/FarfrBP+NVe
-0DXA9RpPY0RQscmqWJK1EZhD3YOtZ8x0RUnRkQKH74JIxElxdUcmKR0kwJcdj0aq
-HFit6eAlRzhZukmEa9A0TshBcrNlmQ3BjPg8diIrYB60f5ZW9g8=
-=qqV2
-----END PGP SIGNATURE-----
--- a/openvpn-CVE-2024-28882.patch
+++ b/openvpn-CVE-2024-28882.patch
@@ -0,0 +1,87 @@
+diff -Naurp src.orig/openvpn/forward.c src/openvpn/forward.c
+--- src.orig/openvpn/forward.c	2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/forward.c	2024-10-18 08:52:38.695704757 +0200
+@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context
+ }
+ 
+ /*
+- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
+  */
+-void
+-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
+ {
+    const int n_seconds = c->options.scheduled_exit_interval;
+    /* don't reschedule if already scheduled. */
+    if (event_timeout_defined(&c->c2.scheduled_exit))
+    {
+        return false;
+    }
+     tls_set_single_session(c->c2.tls_multi);
+     update_time();
+     reset_coarse_timers(c);
+     event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
+-    c->c2.scheduled_exit_signal = signal;
+    c->c2.scheduled_exit_signal = SIGTERM;
+     msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+    return true;
+ }
+ 
+ /*
+diff -Naurp src.orig/openvpn/forward.h src/openvpn/forward.h
+--- src.orig/openvpn/forward.h	2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/forward.h	2024-10-18 08:53:26.223161629 +0200
+@@ -302,7 +302,7 @@ void reschedule_multi_process(struct con
+ 
+ void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
+ 
+-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);
+ 
+ static inline struct link_socket_info *
+ get_link_socket_info(struct context *c)
+diff -Naurp src.orig/openvpn/push.c src/openvpn/push.c
+--- src.orig/openvpn/push.c	2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/push.c	2024-10-18 09:18:53.861388522 +0200
+@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
+      * */
+     if (c->options.mode == MODE_SERVER)
+     {
+-        schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+       if(!schedule_exit(c))
+       {
+	  /* Return early when we don't need to notify management */
+            return;
+       }
+     }
+     else
+     {
+@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)
+ void
+ send_auth_failed(struct context *c, const char *client_reason)
+ {
+-    if (event_timeout_defined(&c->c2.scheduled_exit))
+    if (!schedule_exit(c))
+     {
+         msg(D_TLS_DEBUG, "exit already scheduled for context");
+         return;
+@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, cons
+     static const char auth_failed[] = "AUTH_FAILED";
+     size_t len;
+ 
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+-
+     len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
+     if (len > PUSH_BUNDLE_SIZE)
+     {
+@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_mu
+ void
+ send_restart(struct context *c, const char *kill_msg)
+ {
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+    schedule_exit(c);
+     send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
+ }
+ 
--- a/openvpn-CVE-2024-5594.patch
+++ b/openvpn-CVE-2024-5594.patch
@@ -0,0 +1,214 @@
+--- src.orig/openvpn/buffer.c	2025-01-22 09:11:26.945102537 +0100
+++ src/openvpn/buffer.c	2025-01-22 09:15:18.992145494 +0100
+@@ -1113,6 +1113,21 @@
+     return ret;
+ }
+ 
+bool
+string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive)
+{
+    ASSERT(buf);
+    for (int i = 0; i < BLEN(buf); i++)
+    {
+        char c = BSTR(buf)[i];
+        if (!char_inc_exc(c, inclusive, exclusive))
+        {
+            return false;
+        }
+    }
+    return true;
+}
+
+ const char *
+ string_mod_const(const char *str,
+                  const unsigned int inclusive,
+--- src.orig/openvpn/buffer.h	2025-01-22 09:11:26.945102537 +0100
+++ src/openvpn/buffer.h	2025-01-22 09:16:50.090383898 +0100
+@@ -944,6 +944,17 @@
+ bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive);
+ 
+ bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace);
+/**
+ * Check a buffer if it only consists of allowed characters.
+ *
+ * @param buf The buffer to be checked.
+ * @param inclusive The character classes that are allowed.
+ * @param exclusive Character classes that are not allowed even if they are also in inclusive.
+ * @return True if the string consists only of allowed characters, false otherwise.
+ */
+bool
+string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive);
+
+ 
+ const char *string_mod_const(const char *str,
+                              const unsigned int inclusive,
+--- src.orig/openvpn/forward.c	2025-01-22 09:11:26.948102576 +0100
+++ src/openvpn/forward.c	2025-01-22 09:27:02.718712050 +0100
+@@ -230,6 +230,52 @@
+     }
+ }
+ 
+static void
+parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
+{
+    if (buf_string_match_head_str(buf, "AUTH_FAILED"))
+    {
+        receive_auth_failed(c, buf);
+    }
+    else if (buf_string_match_head_str(buf, "PUSH_"))
+    {
+        incoming_push_message(c, buf);
+    }
+    else if (buf_string_match_head_str(buf, "RESTART"))
+    {
+        server_pushed_signal(c, buf, true, 7);
+    }
+    else if (buf_string_match_head_str(buf, "HALT"))
+    {
+        server_pushed_signal(c, buf, false, 4);
+    }
+    else if (buf_string_match_head_str(buf, "INFO_PRE"))
+    {
+        server_pushed_info(c, buf, 8);
+    }
+    else if (buf_string_match_head_str(buf, "INFO"))
+    {
+        server_pushed_info(c, buf, 4);
+    }
+    else if (buf_string_match_head_str(buf, "CR_RESPONSE"))
+    {
+        receive_cr_response(c, buf);
+    }
+    else if (buf_string_match_head_str(buf, "AUTH_PENDING"))
+    {
+        receive_auth_pending(c, buf);
+    }
+    else if (buf_string_match_head_str(buf, "EXIT"))
+    {
+        receive_exit_message(c);
+    }
+    else
+    {
+        msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf));
+    }
+}
+
+
+ /*
+  * Handle incoming configuration
+  * messages on the control channel.
+@@ -245,51 +291,37 @@
+     struct buffer buf = alloc_buf_gc(len, &gc);
+     if (tls_rec_payload(c->c2.tls_multi, &buf))
+     {
+-        /* force null termination of message */
+-        buf_null_terminate(&buf);
+-
+-        /* enforce character class restrictions */
+-        string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
+-
+-        if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
+-        {
+-            receive_auth_failed(c, &buf);
+-        }
+-        else if (buf_string_match_head_str(&buf, "PUSH_"))
+-        {
+-            incoming_push_message(c, &buf);
+-        }
+-        else if (buf_string_match_head_str(&buf, "RESTART"))
+-        {
+-            server_pushed_signal(c, &buf, true, 7);
+-        }
+-        else if (buf_string_match_head_str(&buf, "HALT"))
+-        {
+-            server_pushed_signal(c, &buf, false, 4);
+-        }
+-        else if (buf_string_match_head_str(&buf, "INFO_PRE"))
+-        {
+-            server_pushed_info(c, &buf, 8);
+-        }
+-        else if (buf_string_match_head_str(&buf, "INFO"))
+-        {
+-            server_pushed_info(c, &buf, 4);
+-        }
+-        else if (buf_string_match_head_str(&buf, "CR_RESPONSE"))
+-        {
+-            receive_cr_response(c, &buf);
+-        }
+-        else if (buf_string_match_head_str(&buf, "AUTH_PENDING"))
+-        {
+-            receive_auth_pending(c, &buf);
+-        }
+-        else if (buf_string_match_head_str(&buf, "EXIT"))
+-        {
+-            receive_exit_message(c);
+-        }
+-        else
+	while (BLEN(&buf) > 1)
+         {
+-            msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
+	     /* commands on the control channel are seperated by 0x00 bytes.
+             * cmdlen does not include the 0 byte of the string */
+            int cmdlen = (int)strnlen(BSTR(&buf), BLEN(&buf));
+            if (cmdlen < BLEN(&buf))
+            {
+                /* include the NUL byte and ensure NUL termination */
+                int cmdlen = (int)strlen(BSTR(&buf)) + 1;
+                /* Construct a buffer that only holds the current command and
+                 * its closing NUL byte */
+                struct buffer cmdbuf = alloc_buf_gc(cmdlen, &gc);
+                buf_write(&cmdbuf, BPTR(&buf), cmdlen);
+                /* check we have only printable characters or null byte in the
+                 * command string and no newlines */
+                if (!string_check_buf(&buf, CC_PRINT | CC_NULL, CC_CRLF))
+                {
+                    msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s",
+                        format_hex(BPTR(&buf), BLEN(&buf), 256, &gc));
+                }
+                else
+                {
+                    parse_incoming_control_channel_command(c, &cmdbuf);
+                }
+            }
+            else
+            {
+                msg(D_PUSH_ERRORS, "WARNING: Ignoring control channel "
+                    "message command without NUL termination");
+            }
+            buf_advance(&buf, cmdlen);
+         }
+     }
+     else
+--- tests.orig/unit_tests/openvpn/test_buffer.c	2025-01-22 09:11:56.003473042 +0100
+++ tests/unit_tests/openvpn/test_buffer.c	2025-01-22 09:30:26.633484093 +0100
+@@ -259,6 +259,22 @@
+     gc_free(&gc);
+ }
+ 
+static void
+test_character_string_mod_buf(void **state)
+{
+    struct gc_arena gc = gc_new();
+    struct buffer buf = alloc_buf_gc(1024, &gc);
+    const char test1[] =  "There is a nice 1234\x00 year old tree!";
+    buf_write(&buf, test1, sizeof(test1));
+    /* allow the null bytes and string but not the ! */
+    assert_false(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, 0));
+    /* remove final ! and null byte to pass */
+    buf_inc_len(&buf, -2);
+    assert_true(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, 0));
+    /* Check excluding digits works */
+    assert_false(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, CC_DIGIT));
+    gc_free(&gc);
+}
+ 
+ int
+ main(void)
+@@ -289,6 +305,7 @@
+         cmocka_unit_test(test_buffer_free_gc_one),
+         cmocka_unit_test(test_buffer_free_gc_two),
+         cmocka_unit_test(test_buffer_gc_realloc),
+	cmocka_unit_test(test_character_string_mod_buf)
+     };
+ 
+     return cmocka_run_group_tests_name("buffer", tests, NULL, NULL);
--- a/openvpn.changes
+++ b/openvpn.changes
@@ -1,40 +1,3 @@
-------------------------------------------------------------------
-Fri Apr  4 20:24:19 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
-
- update to 2.6.14:
-  * CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
-  * Linux DCO: repair source IP selection for --multihome
- update to 2.6.13:
-  * on non-windows clients (MacOS, Linux, Unix) send "release" string from
-    uname() call as IV_PLAT_VER to server
-  * Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default
-    timeout of 90 seconds
-  * improve server-side handling of clients sending usernames or passwords
-    longer than USER_PASS_LEN
-  * purge proxy authentication credentials from memory after use
- update to 2.6.12:
-  * the fix for CVE-2024-5594 (refuse control channel messages with
-    nonprintable characters) was too strict, breaking user configurations
-  * Http-proxy: fix bug preventing proxy credentials caching
- update to 2.6.11:
-  * CVE-2024-5594: control channel: refuse control channel messages with
-    nonprintable characters in them. Security scope: a malicious openvpn
-    peer can send garbage to openvpn log, or cause high CPU load.
-  * CVE-2024-28882: only call schedule_exit() once (on a given peer).
-    Security scope: an authenticated client can make the server "keep the
-    session" even when the server has been told to disconnect this client
-  * Fix connect timeout when using SOCKS proxies
-  * Add bracket in fingerprint message and do not warn about missing
-    verification
-  * Remove "experimental" denotation for --fast-io
-  * Correctly document ifconfig_* variables passed to scripts
-  * Documentation: make section levels consistent
-  * Samples: Update sample configurations (remove compression & old cipher
-    settings, add more informative comments)
- update keyring, as the old one doesn't verify anymore (and attach an url)
- remove openvpn-CVE-2024-28882.patch and openvpn-CVE-2024-5594.patch, as
-  the latest version include fixes for the CVEs
-
 -------------------------------------------------------------------
 Wed Jan 22 16:35:27 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>

--- a/openvpn.keyring
+++ b/openvpn.keyring
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -21,7 +21,7 @@
 %define _rundir %{_localstatedir}/run
 %endif
 Name:           openvpn
-Version:        2.6.14
+Version:        2.6.10
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        GPL-2.0-only WITH openvpn-openssl-exception
@@ -32,12 +32,14 @@ Source1:        https://swupdate.openvpn.org/community/releases/openvpn-%{versio
 Source3:        %{name}.README.SUSE
 Source4:        client-netconfig.up
 Source5:        client-netconfig.down
-Source7:        https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf554a3687412cffebdefe0a312f5f7b42f2b01e7#/%{name}.keyring
+Source7:        %{name}.keyring
 Source8:        %{name}.service
 Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
+Patch2:         openvpn-CVE-2024-28882.patch
+Patch3:         openvpn-CVE-2024-5594.patch
 BuildRequires:  iproute2
 BuildRequires:  libcap-ng-devel
 BuildRequires:  liblz4-devel