From c1302e0b012b0a2566ecc44b5b9659084a3e5fe32655d9987831fa2e4391f57d Mon Sep 17 00:00:00 2001
From: Rahul Jain <rahul.jain@suse.com>
Date: Mon, 28 Oct 2024 14:18:16 +0000
Subject: [PATCH] bugowner:rjain Patch applied for the submission by rjain

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=208
---
 openvpn-CVE-2024-28882.patch | 87 ++++++++++++++++++++++++++++++++++++
 openvpn.changes              |  7 +++
 openvpn.spec                 |  2 +
 3 files changed, 96 insertions(+)
 create mode 100644 openvpn-CVE-2024-28882.patch

diff --git a/openvpn-CVE-2024-28882.patch b/openvpn-CVE-2024-28882.patch
new file mode 100644
index 0000000..547eb65
--- /dev/null
+++ b/openvpn-CVE-2024-28882.patch
@@ -0,0 +1,87 @@
+diff -Naurp src.orig/openvpn/forward.c src/openvpn/forward.c
+--- src.orig/openvpn/forward.c	2024-10-17 14:19:53.719827337 +0200
++++ src/openvpn/forward.c	2024-10-18 08:52:38.695704757 +0200
+@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context
+ }
+ 
+ /*
+- * Schedule a signal n_seconds from now.
++ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
+  */
+-void
+-schedule_exit(struct context *c, const int n_seconds, const int signal)
++bool
++schedule_exit(struct context *c)
+ {
++    const int n_seconds = c->options.scheduled_exit_interval;
++    /* don't reschedule if already scheduled. */
++    if (event_timeout_defined(&c->c2.scheduled_exit))
++    {
++        return false;
++    }
+     tls_set_single_session(c->c2.tls_multi);
+     update_time();
+     reset_coarse_timers(c);
+     event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
+-    c->c2.scheduled_exit_signal = signal;
++    c->c2.scheduled_exit_signal = SIGTERM;
+     msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
++    return true;
+ }
+ 
+ /*
+diff -Naurp src.orig/openvpn/forward.h src/openvpn/forward.h
+--- src.orig/openvpn/forward.h	2024-10-17 14:19:53.719827337 +0200
++++ src/openvpn/forward.h	2024-10-18 08:53:26.223161629 +0200
+@@ -302,7 +302,7 @@ void reschedule_multi_process(struct con
+ 
+ void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
+ 
+-void schedule_exit(struct context *c, const int n_seconds, const int signal);
++bool schedule_exit(struct context *c);
+ 
+ static inline struct link_socket_info *
+ get_link_socket_info(struct context *c)
+diff -Naurp src.orig/openvpn/push.c src/openvpn/push.c
+--- src.orig/openvpn/push.c	2024-10-17 14:19:53.719827337 +0200
++++ src/openvpn/push.c	2024-10-18 09:18:53.861388522 +0200
+@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
+      * */
+     if (c->options.mode == MODE_SERVER)
+     {
+-        schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
++       if(!schedule_exit(c))
++       {
++	  /* Return early when we don't need to notify management */
++            return;
++       }
+     }
+     else
+     {
+@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)
+ void
+ send_auth_failed(struct context *c, const char *client_reason)
+ {
+-    if (event_timeout_defined(&c->c2.scheduled_exit))
++    if (!schedule_exit(c))
+     {
+         msg(D_TLS_DEBUG, "exit already scheduled for context");
+         return;
+@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, cons
+     static const char auth_failed[] = "AUTH_FAILED";
+     size_t len;
+ 
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+-
+     len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
+     if (len > PUSH_BUNDLE_SIZE)
+     {
+@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_mu
+ void
+ send_restart(struct context *c, const char *kill_msg)
+ {
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
++    schedule_exit(c);
+     send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
+ }
+ 
diff --git a/openvpn.changes b/openvpn.changes
index 3f65c6f..1490952 100644
--- a/openvpn.changes
+++ b/openvpn.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
+
+- Fix multiple exit notifications from authenticated clients will
+  extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
+  Patchname:openvpn-CVE-2024-28882.patch
+
 -------------------------------------------------------------------
 Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
 
diff --git a/openvpn.spec b/openvpn.spec
index 80e573c..18956d1 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -37,6 +37,7 @@ Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
+Patch2:		openvpn-CVE-2024-28882.patch
 BuildRequires:  iproute2
 BuildRequires:  libcap-ng-devel
 BuildRequires:  liblz4-devel
@@ -119,6 +120,7 @@ This package provides the header file to build external plugins.
 
 %prep
 %autosetup -p0
+ 
 
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
     -i src/openvpn/options.c