openvpn/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch

258 lines
9.3 KiB
Diff
Raw Normal View History

Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
Index: openvpn-2.4.10/src/openvpn/crypto.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/crypto.c
+++ openvpn-2.4.10/src/openvpn/crypto.c
@@ -118,7 +118,7 @@ openvpn_encrypt_aead(struct buffer *buf,
dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc));
/* Buffer overflow check */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
msg(D_CRYPT_ERRORS,
"ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d",
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -237,7 +237,7 @@ openvpn_encrypt_v1(struct buffer *buf, s
ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf));
/* Buffer overflow check */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
buf->capacity,
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -378,7 +378,7 @@ openvpn_decrypt_aead(struct buffer *buf,
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
uint8_t *tag_ptr = NULL;
int tag_size = 0;
- int outlen;
+ int outlen = 0;
struct gc_arena gc;
gc_init(&gc);
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -455,7 +455,7 @@ openvpn_decrypt_aead(struct buffer *buf,
dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc));
/* Buffer overflow check (should never fail) */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
CRYPT_ERROR("potential buffer overflow");
}
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -601,7 +601,7 @@ openvpn_decrypt_v1(struct buffer *buf, s
}
/* Buffer overflow check (should never happen) */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
CRYPT_ERROR("potential buffer overflow");
}
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
Index: openvpn-2.4.10/src/openvpn/crypto_openssl.h
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/crypto_openssl.h
+++ openvpn-2.4.10/src/openvpn/crypto_openssl.h
Accepting request 505857 from home:ndas:branches:network:vpn - Update to 2.4.3 (bsc#1045489) - Ignore auth-nocache for auth-user-pass if auth-token is pushed - crypto: Enable SHA256 fingerprint checking in --verify-hash - copyright: Update GPLv2 license texts - auth-token with auth-nocache fix broke --disable-crypto builds - OpenSSL: don't use direct access to the internal of X509 - OpenSSL: don't use direct access to the internal of EVP_PKEY - OpenSSL: don't use direct access to the internal of RSA - OpenSSL: don't use direct access to the internal of DSA - OpenSSL: force meth->name as non-const when we free() it - OpenSSL: don't use direct access to the internal of EVP_MD_CTX - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don't use direct access to the internal of HMAC_CTX - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option 'connection' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - Make openvpn-plugin.h self-contained again. - Pass correct buffer size to GetModuleFileNameW() - Log the negotiated (NCP) cipher OBS-URL: https://build.opensuse.org/request/show/505857 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=124
2017-06-23 12:34:54 +02:00
@@ -52,6 +52,9 @@ typedef HMAC_CTX hmac_ctx_t;
/** Maximum length of an IV */
#define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH
+/** Maximum length of a cipher block */
+#define OPENVPN_MAX_BLOCK_LENGTH EVP_MAX_BLOCK_LENGTH
+
/** Cipher is in CBC mode */
#define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
Index: openvpn-2.4.10/src/openvpn/init.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/init.c
+++ openvpn-2.4.10/src/openvpn/init.c
@@ -3215,8 +3215,8 @@ init_context_buffers(const struct frame
b->aux_buf = alloc_buf(BUF_SIZE(frame));
#ifdef ENABLE_CRYPTO
- b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
- b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
+ b->encrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH);
+ b->decrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH);
#endif
#ifdef USE_COMP
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
Index: openvpn-2.4.10/src/openvpn/proxy.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/proxy.c
+++ openvpn-2.4.10/src/openvpn/proxy.c
Accepting request 505857 from home:ndas:branches:network:vpn - Update to 2.4.3 (bsc#1045489) - Ignore auth-nocache for auth-user-pass if auth-token is pushed - crypto: Enable SHA256 fingerprint checking in --verify-hash - copyright: Update GPLv2 license texts - auth-token with auth-nocache fix broke --disable-crypto builds - OpenSSL: don't use direct access to the internal of X509 - OpenSSL: don't use direct access to the internal of EVP_PKEY - OpenSSL: don't use direct access to the internal of RSA - OpenSSL: don't use direct access to the internal of DSA - OpenSSL: force meth->name as non-const when we free() it - OpenSSL: don't use direct access to the internal of EVP_MD_CTX - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don't use direct access to the internal of HMAC_CTX - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option 'connection' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - Make openvpn-plugin.h self-contained again. - Pass correct buffer size to GetModuleFileNameW() - Log the negotiated (NCP) cipher OBS-URL: https://build.opensuse.org/request/show/505857 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=124
2017-06-23 12:34:54 +02:00
@@ -73,6 +73,9 @@ recv_line(socket_descriptor_t sd,
struct buffer la;
int lastc = 0;
+ if (sd >= FD_SETSIZE)
+ return false;
+
CLEAR(la);
if (lookahead)
{
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -321,11 +324,11 @@ get_proxy_authenticate(socket_descriptor
struct gc_arena *gc,
volatile int *signal_received)
{
- char buf[256];
+ char buf[256] = {0};
int ret = HTTP_AUTH_NONE;
while (true)
{
- if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received))
+ if (!recv_line(sd, buf, sizeof(buf) - 1, timeout, true, NULL, signal_received))
{
Accepting request 505857 from home:ndas:branches:network:vpn - Update to 2.4.3 (bsc#1045489) - Ignore auth-nocache for auth-user-pass if auth-token is pushed - crypto: Enable SHA256 fingerprint checking in --verify-hash - copyright: Update GPLv2 license texts - auth-token with auth-nocache fix broke --disable-crypto builds - OpenSSL: don't use direct access to the internal of X509 - OpenSSL: don't use direct access to the internal of EVP_PKEY - OpenSSL: don't use direct access to the internal of RSA - OpenSSL: don't use direct access to the internal of DSA - OpenSSL: force meth->name as non-const when we free() it - OpenSSL: don't use direct access to the internal of EVP_MD_CTX - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don't use direct access to the internal of HMAC_CTX - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option 'connection' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - Make openvpn-plugin.h self-contained again. - Pass correct buffer size to GetModuleFileNameW() - Log the negotiated (NCP) cipher OBS-URL: https://build.opensuse.org/request/show/505857 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=124
2017-06-23 12:34:54 +02:00
free(*data);
*data = NULL;
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -641,9 +644,9 @@ establish_http_proxy_passthru(struct htt
volatile int *signal_received)
{
struct gc_arena gc = gc_new();
- char buf[512];
- char buf2[129];
- char get[80];
+ char buf[512] = {0};
+ char buf2[129] = {0};
+ char get[80] = {0};
int status;
int nparms;
bool ret = false;
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -733,7 +736,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -764,7 +768,8 @@ establish_http_proxy_passthru(struct htt
while (true)
{
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -844,7 +849,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -969,7 +975,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
Index: openvpn-2.4.10/src/openvpn/socket.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/socket.c
+++ openvpn-2.4.10/src/openvpn/socket.c
@@ -1278,6 +1278,9 @@ socket_listen_accept(socket_descriptor_t
/* struct openvpn_sockaddr *remote = &act->dest; */
struct openvpn_sockaddr remote_verify = act->dest;
socket_descriptor_t new_sd = SOCKET_UNDEFINED;
+
+ if (sd >= FD_SETSIZE)
+ return -1;
CLEAR(*act);
socket_do_listen(sd, local, do_listen, true);
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -1428,6 +1431,9 @@ openvpn_connect(socket_descriptor_t sd,
{
int status = 0;
+ if (sd >= FD_SETSIZE)
+ return -1;
+
#ifdef TARGET_ANDROID
protect_fd_nonlocal(sd, remote);
#endif
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
Index: openvpn-2.4.10/src/openvpn/socks.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/socks.c
+++ openvpn-2.4.10/src/openvpn/socks.c
@@ -98,13 +98,16 @@ socks_username_password_auth(struct sock
socket_descriptor_t sd,
volatile int *signal_received)
{
- char to_send[516];
- char buf[2];
+ char to_send[516] = {0};
+ char buf[2] = {0};
int len = 0;
const int timeout_sec = 5;
struct user_pass creds;
ssize_t size;
+ if (sd >= FD_SETSIZE)
+ return false;
+
creds.defined = 0;
if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT))
{
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -193,7 +196,7 @@ socks_handshake(struct socks_proxy_info
socket_descriptor_t sd,
volatile int *signal_received)
{
- char buf[2];
+ char buf[2] = {0};
int len = 0;
const int timeout_sec = 5;
ssize_t size;
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -205,6 +208,9 @@ socks_handshake(struct socks_proxy_info
method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
}
+ if (sd >= FD_SETSIZE)
+ return false;
+
size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL);
if (size != sizeof(method_sel))
{
Accepting request 505857 from home:ndas:branches:network:vpn - Update to 2.4.3 (bsc#1045489) - Ignore auth-nocache for auth-user-pass if auth-token is pushed - crypto: Enable SHA256 fingerprint checking in --verify-hash - copyright: Update GPLv2 license texts - auth-token with auth-nocache fix broke --disable-crypto builds - OpenSSL: don't use direct access to the internal of X509 - OpenSSL: don't use direct access to the internal of EVP_PKEY - OpenSSL: don't use direct access to the internal of RSA - OpenSSL: don't use direct access to the internal of DSA - OpenSSL: force meth->name as non-const when we free() it - OpenSSL: don't use direct access to the internal of EVP_MD_CTX - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don't use direct access to the internal of HMAC_CTX - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option 'connection' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - Make openvpn-plugin.h self-contained again. - Pass correct buffer size to GetModuleFileNameW() - Log the negotiated (NCP) cipher OBS-URL: https://build.opensuse.org/request/show/505857 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=124
2017-06-23 12:34:54 +02:00
@@ -312,9 +318,12 @@ recv_socks_reply(socket_descriptor_t sd,
char atyp = '\0';
int alen = 0;
int len = 0;
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
- char buf[270]; /* 4 + alen(max 256) + 2 */
+ char buf[270] = {0}; /* 4 + alen(max 256) + 2 */
const int timeout_sec = 5;
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
+ if (sd >= FD_SETSIZE)
+ return false;
+
if (addr != NULL)
{
addr->addr.in4.sin_family = AF_INET;
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -398,7 +407,7 @@ recv_socks_reply(socket_descriptor_t sd,
}
/* store char in buffer */
- if (len < (int)sizeof(buf))
+ if (len < (int)sizeof(buf) && len >= 0)
{
buf[len] = c;
}
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
@@ -454,7 +463,7 @@ establish_socks_proxy_passthru(struct so
const char *servname, /* openvpn server port */
volatile int *signal_received)
{
Accepting request 860796 from home:dirkmueller:branches:network:vpn - update to 2.4.10: - OpenVPN client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better - Parse static challenge response in auth-pam plugin - Accept empty password and/or response in auth-pam plugin - Log serial number of revoked certificate - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - Fix auth-token not being updated if auth-nocache is set (this should fix all remaining client-side bugs for the combination "auth-nocache in client-config" + "auth-token in use on the server") - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() - Fix error detection / abort in --inetd corner case (#350) - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) - Fix handling of 'route remote_host' for IPv6 transport case (#1247 and #1332) - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) - A number of documentation improvements / clarification fixes. - Fix line number reporting on config file errors after <inline> segments - Fix fatal error at switching remotes (#629) - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) - Switch "ks->authenticated" assertion failure to returning false (#1270) - refresh 0001-preform-deferred-authentication-in-the-background.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 OBS-URL: https://build.opensuse.org/request/show/860796 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=156
2021-01-08 09:45:09 +01:00
- char buf[270];
+ char buf[270] = {0};
size_t len;
if (!socks_handshake(p, sd, signal_received))