Accepting request 1240409 from network:vpn

bugowner:rjain openvpn-CVE-2024-5594 Patch applied for the submission by rjain (forwarded request 1239460 from rjain)

OBS-URL: https://build.opensuse.org/request/show/1240409
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=119

openvpn-CVE-2024-28882.patch

@@ -0,0 +1,87 @@
+diff -Naurp src.orig/openvpn/forward.c src/openvpn/forward.c
+--- src.orig/openvpn/forward.c	2024-10-17 14:19:53.719827337 +0200
++++ src/openvpn/forward.c	2024-10-18 08:52:38.695704757 +0200
+@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context
+ }
+ 
+ /*
+- * Schedule a signal n_seconds from now.
++ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
+  */
+-void
+-schedule_exit(struct context *c, const int n_seconds, const int signal)
++bool
++schedule_exit(struct context *c)
+ {
++    const int n_seconds = c->options.scheduled_exit_interval;
++    /* don't reschedule if already scheduled. */
++    if (event_timeout_defined(&c->c2.scheduled_exit))
++    {
++        return false;
++    }
+     tls_set_single_session(c->c2.tls_multi);
+     update_time();
+     reset_coarse_timers(c);
+     event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
+-    c->c2.scheduled_exit_signal = signal;
++    c->c2.scheduled_exit_signal = SIGTERM;
+     msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
++    return true;
+ }
+ 
+ /*
+diff -Naurp src.orig/openvpn/forward.h src/openvpn/forward.h
+--- src.orig/openvpn/forward.h	2024-10-17 14:19:53.719827337 +0200
++++ src/openvpn/forward.h	2024-10-18 08:53:26.223161629 +0200
+@@ -302,7 +302,7 @@ void reschedule_multi_process(struct con
+ 
+ void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
+ 
+-void schedule_exit(struct context *c, const int n_seconds, const int signal);
++bool schedule_exit(struct context *c);
+ 
+ static inline struct link_socket_info *
+ get_link_socket_info(struct context *c)
+diff -Naurp src.orig/openvpn/push.c src/openvpn/push.c
+--- src.orig/openvpn/push.c	2024-10-17 14:19:53.719827337 +0200
++++ src/openvpn/push.c	2024-10-18 09:18:53.861388522 +0200
+@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
+      * */
+     if (c->options.mode == MODE_SERVER)
+     {
+-        schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
++       if(!schedule_exit(c))
++       {
++	  /* Return early when we don't need to notify management */
++            return;
++       }
+     }
+     else
+     {
+@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)
+ void
+ send_auth_failed(struct context *c, const char *client_reason)
+ {
+-    if (event_timeout_defined(&c->c2.scheduled_exit))
++    if (!schedule_exit(c))
+     {
+         msg(D_TLS_DEBUG, "exit already scheduled for context");
+         return;
+@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, cons
+     static const char auth_failed[] = "AUTH_FAILED";
+     size_t len;
+ 
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+-
+     len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
+     if (len > PUSH_BUNDLE_SIZE)
+     {
+@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_mu
+ void
+ send_restart(struct context *c, const char *kill_msg)
+ {
+-    schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
++    schedule_exit(c);
+     send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
+ }
+ 

openvpn-CVE-2024-5594.patch

@@ -0,0 +1,214 @@
+--- src.orig/openvpn/buffer.c	2025-01-22 09:11:26.945102537 +0100
++++ src/openvpn/buffer.c	2025-01-22 09:15:18.992145494 +0100
+@@ -1113,6 +1113,21 @@
+     return ret;
+ }
+ 
++bool
++string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive)
++{
++    ASSERT(buf);
++    for (int i = 0; i < BLEN(buf); i++)
++    {
++        char c = BSTR(buf)[i];
++        if (!char_inc_exc(c, inclusive, exclusive))
++        {
++            return false;
++        }
++    }
++    return true;
++}
++
+ const char *
+ string_mod_const(const char *str,
+                  const unsigned int inclusive,
+--- src.orig/openvpn/buffer.h	2025-01-22 09:11:26.945102537 +0100
++++ src/openvpn/buffer.h	2025-01-22 09:16:50.090383898 +0100
+@@ -944,6 +944,17 @@
+ bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive);
+ 
+ bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace);
++/**
++ * Check a buffer if it only consists of allowed characters.
++ *
++ * @param buf The buffer to be checked.
++ * @param inclusive The character classes that are allowed.
++ * @param exclusive Character classes that are not allowed even if they are also in inclusive.
++ * @return True if the string consists only of allowed characters, false otherwise.
++ */
++bool
++string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive);
++
+ 
+ const char *string_mod_const(const char *str,
+                              const unsigned int inclusive,
+--- src.orig/openvpn/forward.c	2025-01-22 09:11:26.948102576 +0100
++++ src/openvpn/forward.c	2025-01-22 09:27:02.718712050 +0100
+@@ -230,6 +230,52 @@
+     }
+ }
+ 
++static void
++parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
++{
++    if (buf_string_match_head_str(buf, "AUTH_FAILED"))
++    {
++        receive_auth_failed(c, buf);
++    }
++    else if (buf_string_match_head_str(buf, "PUSH_"))
++    {
++        incoming_push_message(c, buf);
++    }
++    else if (buf_string_match_head_str(buf, "RESTART"))
++    {
++        server_pushed_signal(c, buf, true, 7);
++    }
++    else if (buf_string_match_head_str(buf, "HALT"))
++    {
++        server_pushed_signal(c, buf, false, 4);
++    }
++    else if (buf_string_match_head_str(buf, "INFO_PRE"))
++    {
++        server_pushed_info(c, buf, 8);
++    }
++    else if (buf_string_match_head_str(buf, "INFO"))
++    {
++        server_pushed_info(c, buf, 4);
++    }
++    else if (buf_string_match_head_str(buf, "CR_RESPONSE"))
++    {
++        receive_cr_response(c, buf);
++    }
++    else if (buf_string_match_head_str(buf, "AUTH_PENDING"))
++    {
++        receive_auth_pending(c, buf);
++    }
++    else if (buf_string_match_head_str(buf, "EXIT"))
++    {
++        receive_exit_message(c);
++    }
++    else
++    {
++        msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf));
++    }
++}
++
++
+ /*
+  * Handle incoming configuration
+  * messages on the control channel.
+@@ -245,51 +291,37 @@
+     struct buffer buf = alloc_buf_gc(len, &gc);
+     if (tls_rec_payload(c->c2.tls_multi, &buf))
+     {
+-        /* force null termination of message */
+-        buf_null_terminate(&buf);
+-
+-        /* enforce character class restrictions */
+-        string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
+-
+-        if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
+-        {
+-            receive_auth_failed(c, &buf);
+-        }
+-        else if (buf_string_match_head_str(&buf, "PUSH_"))
+-        {
+-            incoming_push_message(c, &buf);
+-        }
+-        else if (buf_string_match_head_str(&buf, "RESTART"))
+-        {
+-            server_pushed_signal(c, &buf, true, 7);
+-        }
+-        else if (buf_string_match_head_str(&buf, "HALT"))
+-        {
+-            server_pushed_signal(c, &buf, false, 4);
+-        }
+-        else if (buf_string_match_head_str(&buf, "INFO_PRE"))
+-        {
+-            server_pushed_info(c, &buf, 8);
+-        }
+-        else if (buf_string_match_head_str(&buf, "INFO"))
+-        {
+-            server_pushed_info(c, &buf, 4);
+-        }
+-        else if (buf_string_match_head_str(&buf, "CR_RESPONSE"))
+-        {
+-            receive_cr_response(c, &buf);
+-        }
+-        else if (buf_string_match_head_str(&buf, "AUTH_PENDING"))
+-        {
+-            receive_auth_pending(c, &buf);
+-        }
+-        else if (buf_string_match_head_str(&buf, "EXIT"))
+-        {
+-            receive_exit_message(c);
+-        }
+-        else
++	while (BLEN(&buf) > 1)
+         {
+-            msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
++	     /* commands on the control channel are seperated by 0x00 bytes.
++             * cmdlen does not include the 0 byte of the string */
++            int cmdlen = (int)strnlen(BSTR(&buf), BLEN(&buf));
++            if (cmdlen < BLEN(&buf))
++            {
++                /* include the NUL byte and ensure NUL termination */
++                int cmdlen = (int)strlen(BSTR(&buf)) + 1;
++                /* Construct a buffer that only holds the current command and
++                 * its closing NUL byte */
++                struct buffer cmdbuf = alloc_buf_gc(cmdlen, &gc);
++                buf_write(&cmdbuf, BPTR(&buf), cmdlen);
++                /* check we have only printable characters or null byte in the
++                 * command string and no newlines */
++                if (!string_check_buf(&buf, CC_PRINT | CC_NULL, CC_CRLF))
++                {
++                    msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s",
++                        format_hex(BPTR(&buf), BLEN(&buf), 256, &gc));
++                }
++                else
++                {
++                    parse_incoming_control_channel_command(c, &cmdbuf);
++                }
++            }
++            else
++            {
++                msg(D_PUSH_ERRORS, "WARNING: Ignoring control channel "
++                    "message command without NUL termination");
++            }
++            buf_advance(&buf, cmdlen);
+         }
+     }
+     else
+--- tests.orig/unit_tests/openvpn/test_buffer.c	2025-01-22 09:11:56.003473042 +0100
++++ tests/unit_tests/openvpn/test_buffer.c	2025-01-22 09:30:26.633484093 +0100
+@@ -259,6 +259,22 @@
+     gc_free(&gc);
+ }
+ 
++static void
++test_character_string_mod_buf(void **state)
++{
++    struct gc_arena gc = gc_new();
++    struct buffer buf = alloc_buf_gc(1024, &gc);
++    const char test1[] =  "There is a nice 1234\x00 year old tree!";
++    buf_write(&buf, test1, sizeof(test1));
++    /* allow the null bytes and string but not the ! */
++    assert_false(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, 0));
++    /* remove final ! and null byte to pass */
++    buf_inc_len(&buf, -2);
++    assert_true(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, 0));
++    /* Check excluding digits works */
++    assert_false(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, CC_DIGIT));
++    gc_free(&gc);
++}
+ 
+ int
+ main(void)
+@@ -289,6 +305,7 @@
+         cmocka_unit_test(test_buffer_free_gc_one),
+         cmocka_unit_test(test_buffer_free_gc_two),
+         cmocka_unit_test(test_buffer_gc_realloc),
++	cmocka_unit_test(test_character_string_mod_buf)
+     };
+ 
+     return cmocka_run_group_tests_name("buffer", tests, NULL, NULL);

openvpn.changes

@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Wed Jan 22 16:35:27 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop rcFOO symlinks for CODE16 (PED-266).
+
+-------------------------------------------------------------------
+Wed Jan 22 08:55:44 UTC 2025 - Rahul Jain <rahul.jain@suse.com>
+
+- FIX:VUL-0 CVE-2024-5594: openvpn: properly handle null bytes and 
+  invalid characters in control messages(bsc#1235147 CVE-2024-5594)
+  Patchname:openvpn-CVE-2024-5594.patch
+
+-------------------------------------------------------------------
+Fri Dec 20 08:13:18 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Set %_buildshell because of bashisms in build recipe
+- Replace over-the-top `find -exec rm` by just -delete
+
+-------------------------------------------------------------------
+Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
+
+- Fix multiple exit notifications from authenticated clients will
+  extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
+  Patchname:openvpn-CVE-2024-28882.patch
+
+-------------------------------------------------------------------
+Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
+  if libnl >= 3.4 is available
+
 -------------------------------------------------------------------
 Thu Mar 21 08:33:45 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>
 

openvpn.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openvpn
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,6 +16,7 @@
 #
 
 
+%define _buildshell /bin/bash
 %if ! %{defined _rundir}
 %define _rundir %{_localstatedir}/run
 %endif
@@ -37,6 +38,8 @@ Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
+Patch2:         openvpn-CVE-2024-28882.patch
+Patch3:         openvpn-CVE-2024-5594.patch
 BuildRequires:  iproute2
 BuildRequires:  libcap-ng-devel
 BuildRequires:  liblz4-devel
@@ -49,10 +52,12 @@ BuildRequires:  pam-devel
 BuildRequires:  pkcs11-helper-devel >= 1.11
 BuildRequires:  pkgconfig
 BuildRequires:  xz
+BuildRequires:  pkgconfig(libnl-genl-3.0)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
 Requires:       iproute2
 Requires:       pkcs11-helper >= 1.11
+Recommends:     ovpn-dco-kmp
 %systemd_ordering
 
 %description
@@ -135,8 +140,14 @@ export LDFLAGS
 # usrmerge
 export IPROUTE="%{_sbindir}/ip"
 %endif
+libnlversion=$(rpm -q --qf "%%{version}" libnl3-devel)
+if [[ $libnlversion == 3.[0-3].* ]] ; then
+  confopt=--enable-iproute2
+else
+  confopt=--enable-dco
+fi
 %configure \
-	--enable-iproute2		\
+	$confopt			\
 	--enable-x509-alt-username	\
 	--enable-pkcs11			\
 	--enable-systemd		\
@@ -149,7 +160,7 @@ export IPROUTE="%{_sbindir}/ip"
 
 %install
 %make_install
-find %{buildroot} -type f -name "*.la" -print -exec rm -f {} +
+find %{buildroot} -type f -name "*.la" -print -delete
 mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
 mkdir -p %{buildroot}/%{_rundir}/openvpn
 mkdir -p %{buildroot}/%{_datadir}/openvpn
@@ -159,7 +170,9 @@ rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service
 rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf
 install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
 install -D -m 644 %{SOURCE9} %{buildroot}/%{_unitdir}/%{name}.target
+%if 0%{?suse_version} < 1600
 install -D -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/rc%{name}
+%endif
 # tmpfiles.d
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -m 0644 %{SOURCE10} %{buildroot}%{_tmpfilesdir}/%{name}.conf
@@ -169,7 +182,7 @@ install -m 755 %{SOURCE5} sample/sample-scripts/client-netconfig.down
 
 # we install docs via spec into _defaultdocdir/name/management-notes.txt
 rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}}
-find sample -name .gitignore -exec rm -f {} +
+find sample -name .gitignore -delete
 
 %pre
 %service_add_pre %{name}.target
@@ -202,7 +215,9 @@ find sample -name .gitignore -exec rm -f {} +
 %{_unitdir}/%{name}.target
 %{_tmpfilesdir}/%{name}.conf
 %dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
+%if 0%{?suse_version} < 1600
 %{_sbindir}/rcopenvpn
+%endif
 %{_sbindir}/openvpn
 
 %files down-root-plugin