!20 Update to 2.5.5

Merge pull request !20 from jpzhang187/openEuler-22.03-LTS-Next
2021-12-30 11:18:52 +00:00 · 2021-12-30 11:18:52 +00:00 · 587e6822e9
commit 587e6822e9
parent e188357f25 3b0457b60f
5 changed files with 7 additions and 110 deletions
--- a/CVE-2020-11810.patch
+++ b/CVE-2020-11810.patch
@ -1,65 +0,0 @@
 From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
 From: Lev Stipakov <lev@openvpn.net>
 Date: Wed, 15 Apr 2020 10:30:17 +0300
 Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
 There is a time frame between allocating peer-id and initializing data
 channel key (which is performed on receiving push request or on async
 push-reply) in which the existing peer-id float checks do not work right.
 If a "rogue" data channel packet arrives during that time frame from
 another address and  with same peer-id, this would cause client to float
 to that new address. This is because:
 - tls_pre_decrypt() sets packet length to zero if
   data channel key has not been initialized, which leads to
 - openvpn_decrypt() returns true if packet length is zero,
   which leads to
 - process_incoming_link_part1() returns true, which
   calls multi_process_float(), which commits float
 Note that problem doesn't happen when data channel key is initialized,
 since in this case openvpn_decrypt() returns false.
 The net effect of this behaviour is that the VPN session for the
 "victim client" is broken.  Since the "attacker client" does not have
 suitable keys, it can not inject or steal VPN traffic from the other
 session.  The time window is small and it can not be used to attack
 a specific client's session, unless some other way is found to make it
 disconnect and reconnect first.
 CVE-2020-11810 has been assigned to acknowledge this risk.
 Fix illegal float by adding buffer length check ("is this packet still
 considered valid") before calling multi_process_float().
 Trac: #1272
 CVE: 2020-11810
 Signed-off-by: Lev Stipakov <lev@openvpn.net>
 Acked-by: Arne Schwabe <arne@rfc2549.org>
 Acked-by: Antonio Quartulli <antonio@openvpn.net>
 Acked-by: Gert Doering <gert@greenie.muc.de>
 Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
 URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
 Signed-off-by: Gert Doering <gert@greenie.muc.de>
 ---
 src/openvpn/multi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
 index b42bcec97..056e3dc76 100644
 --- a/src/openvpn/multi.c
 +++ b/src/openvpn/multi.c
@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
             orig_buf = c->c2.buf.data;
             if (process_incoming_link_part1(c, lsi, floated))
             {
 -                if (floated)
 +                /* nonzero length means that we have a valid, decrypted packed */
 +                if (floated && c->c2.buf.len > 0)
                 {
                     multi_process_float(m, m->pending);
                 }
--- a/CVE-2020-15078.patch
+++ b/CVE-2020-15078.patch
@ -1,39 +0,0 @@
 From 6b03967183591d8a7e619caaf529f7581619326b Mon Sep 17 00:00:00 2001
 From: Arne Schwabe <arne@rfc2549.org>
 Date: Tue, 6 Apr 2021 00:05:21 +0200
 Subject: [PATCH] Ensure key state is authenticated before sending push reply
 This ensures that the key state is authenticated when sendinga push reply.
 ---
 src/openvpn/push.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/src/openvpn/push.c b/src/openvpn/push.c
 index dd5bd41..fcdd76b 100644
 --- a/src/openvpn/push.c
 +++ b/src/openvpn/push.c
@@ -647,6 +647,7 @@ int
 process_incoming_push_request(struct context *c)
 {
     int ret = PUSH_MSG_ERROR;
 +    struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
 #ifdef ENABLE_ASYNC_PUSH
     c->c2.push_request_received = true;
@@ -657,7 +658,12 @@ process_incoming_push_request(struct context *c)
         send_auth_failed(c, client_reason);
         ret = PUSH_MSG_AUTH_FAILURE;
     }
 -    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
 +    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
 +             && ks->authenticated
 + #ifdef ENABLE_DEF_AUTH
 +             && !ks->auth_deferred
 + #endif
 +             )
     {
         time_t now;
 -- 
 2.23.0
--- a/openvpn-2.4.8.tar.gz
+++ b/openvpn-2.4.8.tar.gz
--- a/openvpn-2.5.5.tar.gz
+++ b/openvpn-2.5.5.tar.gz
--- a/openvpn.spec
+++ b/openvpn.spec
@ -1,12 +1,10 @@
 Name: openvpn
-Version: 2.4.8
+Version: 2.5.5
-Release: 6
+Release: 1
 Summary: A full-featured open source SSL VPN solution
-License: GPLv2 and OpenSSL and SSLeay
+License: GPL-2.0-or-later and OpenSSL and SSLeay
 URL: https://community.openvpn.net/openvpn
 Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
 Patch0000:     CVE-2020-11810.patch
 Patch0001:     CVE-2020-15078.patch
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
 BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
@ -58,7 +56,6 @@ cp -a contrib sample $RPM_BUILD_ROOT%{_pkgdocdir}
 %check
 make check
 %pre
 getent group openvpn &>/dev/null || groupadd -r openvpn
 getent passwd openvpn &>/dev/null || \
@ -121,8 +118,12 @@ fi
 %files help
 %{_pkgdocdir}
 %{_mandir}/man8/%{name}.8*
 %{_mandir}/man5/openvpn-examples.5.gz
 %changelog
 * Wed Dec 29 2021 zhangjiapeng <zhangjiapeng9@huawei.com> - 2.5.5-1
 - Update to 2.5.5
 * Wed Jun 9 2021 zhaoyao <zhaoyao32@huawei.com> - 2.4.8-6
 - fix faileds: /bin/sh: gcc: command not found.