Accepting request 1218829 from network:vpn

OBS-URL: https://build.opensuse.org/request/show/1218829 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=116
2024-10-29 13:32:19 +00:00 · 2024-10-29 13:32:19 +00:00 · 690bf31ff3
commit 690bf31ff3
parent b6032a10ff c1302e0b01
3 changed files with 111 additions and 1 deletions
--- a/openvpn-CVE-2024-28882.patch
+++ b/openvpn-CVE-2024-28882.patch
@ -0,0 +1,87 @@
+diff -Naurp src.orig/openvpn/forward.c src/openvpn/forward.c
+--- src.orig/openvpn/forward.c	2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/forward.c	2024-10-18 08:52:38.695704757 +0200
+@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context
+ }
+ 
+ /*
+- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
+  */
+-void
+-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
+ {
+    const int n_seconds = c->options.scheduled_exit_interval;
+    /* don't reschedule if already scheduled. */
+    if (event_timeout_defined(&c->c2.scheduled_exit))
+    {
+        return false;
+    }
+     tls_set_single_session(c->c2.tls_multi);
+     update_time();
+     reset_coarse_timers(c);
+     event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
+-    c->c2.scheduled_exit_signal = signal;
+    c->c2.scheduled_exit_signal = SIGTERM;
+     msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+    return true;
+ }
+ 
+ /*
+diff -Naurp src.orig/openvpn/forward.h src/openvpn/forward.h
+--- src.orig/openvpn/forward.h	2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/forward.h	2024-10-18 08:53:26.223161629 +0200
+@@ -302,7 +302,7 @@ void reschedule_multi_process(struct con
+ 
+ void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
+ 
+-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);
+ 
+ static inline struct link_socket_info *
+ get_link_socket_info(struct context *c)
+diff -Naurp src.orig/openvpn/push.c src/openvpn/push.c
+--- src.orig/openvpn/push.c	2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/push.c	2024-10-18 09:18:53.861388522 +0200
+@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
+      * */
+     if (c->options.mode == MODE_SERVER)
+     {
+-        schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+       if(!schedule_exit(c))
+       {
+	  /* Return early when we don't need to notify management */
+            return;
+       }
+     }
+     else
+     {
+@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)
+ void
+ send_auth_failed(struct context *c, const char *client_reason)
+ {
+-    if (event_timeout_defined(&c->c2.scheduled_exit))
+    if (!schedule_exit(c))
+     {
+         msg(D_TLS_DEBUG, "exit already scheduled for context");
+         return;
+@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, cons
+     static const char auth_failed[] = "AUTH_FAILED";
+     size_t len;
+ 
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+-
+     len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
+     if (len > PUSH_BUNDLE_SIZE)
+     {
+@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_mu
+ void
+ send_restart(struct context *c, const char *kill_msg)
+ {
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+    schedule_exit(c);
+     send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
+ }
+ 
--- a/openvpn.changes
+++ b/openvpn.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
+
+- Fix multiple exit notifications from authenticated clients will
+  extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
+  Patchname:openvpn-CVE-2024-28882.patch
+
+-------------------------------------------------------------------
+Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
+  if libnl >= 3.4 is available
+
 -------------------------------------------------------------------
 Thu Mar 21 08:33:45 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>

--- a/openvpn.spec
+++ b/openvpn.spec
@ -37,6 +37,7 @@ Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
+Patch2:		openvpn-CVE-2024-28882.patch
 BuildRequires:  iproute2
 BuildRequires:  libcap-ng-devel
 BuildRequires:  liblz4-devel
@ -49,10 +50,12 @@ BuildRequires:  pam-devel
 BuildRequires:  pkcs11-helper-devel >= 1.11
 BuildRequires:  pkgconfig
 BuildRequires:  xz
+BuildRequires:  pkgconfig(libnl-genl-3.0)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
 Requires:       iproute2
 Requires:       pkcs11-helper >= 1.11
+Recommends:     ovpn-dco-kmp
 %systemd_ordering

 %description
@ -118,6 +121,7 @@ This package provides the header file to build external plugins.
 %prep
 %autosetup -p0
 
+
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
    -i src/openvpn/options.c
 sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \
@ -135,8 +139,14 @@ export LDFLAGS
 # usrmerge
 export IPROUTE="%{_sbindir}/ip"
 %endif
+libnlversion=$(rpm -q --qf "%%{version}" libnl3-devel)
+if [[ $libnlversion == 3.[0-3].* ]] ; then
+  confopt=--enable-iproute2
+else
+  confopt=--enable-dco
+fi
 %configure \
-	--enable-iproute2		\
+	$confopt			\
 	--enable-x509-alt-username	\
 	--enable-pkcs11			\
 	--enable-systemd		\