!27 [sync] PR-21: Fix CVE-2022-0547

From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek
2022-04-06 03:36:58 +00:00 · 2022-04-06 03:36:58 +00:00 · 3015af7730
commit 3015af7730
parent 587e6822e9 e59c07ca16
2 changed files with 104 additions and 1 deletions
--- a/CVE-2022-0547.patch
+++ b/CVE-2022-0547.patch
@ -0,0 +1,98 @@
+From af3e382649d96ae77cc5e42be8270f355e5cfec5 Mon Sep 17 00:00:00 2001
+From: David Sommerseth <davids@openvpn.net>
+Date: Sun, 13 Mar 2022 20:31:53 +0100
+Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
+
+The plug-in API in OpenVPN 2.x is not designed for running multiple
+deferred authentication processes in parallel. The authentication
+results of such configurations are not to be trusted.  For now we bail
+out when this is discovered with an error in the log.
+
+CVE: 2022-0547
+Signed-off-by: David Sommerseth <davids@openvpn.net>
+
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
+Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
+---
+ doc/man-sections/plugin-options.rst |  9 ++++++++
+ src/openvpn/plugin.c                | 33 ++++++++++++++++++++++++++---
+ 2 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst
+index 51c574fe6..9266429ea 100644
+--- a/doc/man-sections/plugin-options.rst
+++ b/doc/man-sections/plugin-options.rst
+@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
+   (such as tls-verify, auth-user-pass-verify, or client-connect), then
+   every module and script must return success (:code:`0`) in order for the
+   connection to be authenticated.
+
+  **WARNING**:
+        Plug-ins may do deferred execution, meaning the plug-in will
+        return the control back to the main OpenVPN process and provide
+        the plug-in result later on via a different thread or process.
+        OpenVPN does **NOT** support multiple authentication plug-ins
+        **where more than one plugin** tries to do deferred authentication.
+        If this behaviour is detected, OpenVPN will shut down upon first
+        authentication.
+diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
+index e8f8830d0..ed5d7c067 100644
+--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
+@@ -806,7 +806,7 @@ plugin_call_ssl(const struct plugin_list *pl,
+         const int n = plugin_n(pl);
+         bool success = false;
+         bool error = false;
+-        bool deferred = false;
+        bool deferred_auth_done = false;
+ 
+         setenv_del(es, "script_type");
+         envp = make_env_array(es, false, &gc);
+@@ -829,7 +829,34 @@ plugin_call_ssl(const struct plugin_list *pl,
+                     break;
+ 
+                 case OPENVPN_PLUGIN_FUNC_DEFERRED:
+-                    deferred = true;
+                    if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+                        && deferred_auth_done)
+                    {
+                        /*
+                         * Do not allow deferred auth if a deferred auth has
+                         * already been started.  This should allow a single
+                         * deferred auth call to happen, with one or more
+                         * auth calls with an instant authentication result.
+                         *
+                         * The plug-in API is not designed for multiple
+                         * deferred authentications to happen, as the
+                         * auth_control_file file will be shared across all
+                         * the plug-ins.
+                         *
+                         * Since this is considered a critical configuration
+                         * error, we bail out and exit the OpenVPN process.
+                         */
+                        error = true;
+                        msg(M_FATAL,
+                            "Exiting due to multiple authentication plug-ins "
+                            "performing deferred authentication.  Only one "
+                            "authentication plug-in doing deferred auth is "
+                            "allowed.  Ignoring the result and stopping now, "
+                            "the current authentication result is not to be "
+                            "trusted.");
+                        break;
+                    }
+                    deferred_auth_done = true;
+                     break;
+ 
+                 default:
+@@ -853,7 +880,7 @@ plugin_call_ssl(const struct plugin_list *pl,
+         {
+             return OPENVPN_PLUGIN_FUNC_ERROR;
+         }
+-        else if (deferred)
+        else if (deferred_auth_done)
+         {
+             return OPENVPN_PLUGIN_FUNC_DEFERRED;
+         }
--- a/openvpn.spec
+++ b/openvpn.spec
@ -1,10 +1,12 @@
 Name: openvpn
 Version: 2.5.5
-Release: 1
+Release: 2
 Summary: A full-featured open source SSL VPN solution
 License: GPL-2.0-or-later and OpenSSL and SSLeay
 URL: https://community.openvpn.net/openvpn
 Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
+#  https://github.com/OpenVPN/openvpn/commit/af3e382
+Patch0: CVE-2022-0547.patch
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
 BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11

@ -121,6 +123,9 @@ fi
 %{_mandir}/man5/openvpn-examples.5.gz

 %changelog
+* Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.5.5-2
+- Fix CVE-2022-0547
+
 * Wed Dec 29 2021 zhangjiapeng <zhangjiapeng9@huawei.com> - 2.5.5-1
 - Update to 2.5.5