packages/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:5667d30bd8bb377a095ba05361164b74496e33f4
Branches Tags
packages:main
...
compare: packages:0ad4cc176082a320ddce4f13261fc1f22e484eca
Branches Tags
packages:main

10 Commits
5667d30bd8 ... 0ad4cc1760

Author SHA1 Message Date
openeuler-ci-bot
0ad4cc1760
!60 update sample-keys 
From: @li_ning_jie 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-11-15 07:31:29 +00:00
liningjie
12b32768a2 update sample-keys 2024-11-06 14:21:17 +08:00
openeuler-ci-bot
dc1ae89dcd
!53 fix CVE-2024-5594 
From: @fundawang 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-07-22 06:26:57 +00:00
Funda Wang
e60c995ddb Fix CVE-2024-5594 2024-07-22 12:34:19 +08:00
openeuler-ci-bot
aa7cec5485
!44 Fix CVE-2024-28882 
From: @zhangxianting 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-07-09 07:30:27 +00:00
zhangxianting
6825a4f9a4 Fix CVE-2024-28882 2024-07-02 21:17:06 +08:00
openeuler-ci-bot
224bc6fca4
!26 [sync] PR-22: Fix CVE-2022-0547 
From: @openeuler-sync-bot 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek
 2022-03-30 06:49:48 +00:00
wk333
6e8e9d9565 Fix CVE-2022-0547 
(cherry picked from commit f5a73391912830c22620920b94b13cb83c3c065d)
 2022-03-30 11:43:45 +08:00
openeuler-ci-bot
6fa8bc0b45 !13 fix CVE-2020-15078 
From: @wang_yue111
Reviewed-by: @jackie_wu123,@small_leek
Signed-off-by: @small_leek
 2021-05-26 14:01:59 +08:00
wang_yue111
79b906c083 fix CVE-2020-15078 2021-05-26 11:22:04 +08:00
6 changed files with 2218 additions and 4 deletions
Show Stats Expand all files Collapse all files

39
CVE-2020-15078.patch Normal file
View File

@ -0,0 +1,39 @@
From 6b03967183591d8a7e619caaf529f7581619326b Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Tue, 6 Apr 2021 00:05:21 +0200
Subject: [PATCH] Ensure key state is authenticated before sending push reply
This ensures that the key state is authenticated when sendinga push reply.
---
src/openvpn/push.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index dd5bd41..fcdd76b 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -647,6 +647,7 @@ int
process_incoming_push_request(struct context *c)
{
int ret = PUSH_MSG_ERROR;
+ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
#ifdef ENABLE_ASYNC_PUSH
c->c2.push_request_received = true;
@@ -657,7 +658,12 @@ process_incoming_push_request(struct context *c)
send_auth_failed(c, client_reason);
ret = PUSH_MSG_AUTH_FAILURE;
}
- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
+ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
+ && ks->authenticated
+ #ifdef ENABLE_DEF_AUTH
+ && !ks->auth_deferred
+ #endif
+ )
{
time_t now;
--
2.23.0

107
CVE-2022-0547.patch Normal file
View File

@ -0,0 +1,107 @@
From 58ec3bb4aac77131118dbbc39a65181e7847adee Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@openvpn.net>
Date: Tue, 15 Mar 2022 16:53:43 +0100
Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this discovered with an error in the log.
This is a backport of commit 282ddbac54f8d4923844f699 (master), taking
the different man-page format into account. The code change is the same.
CVE: 2022-0547
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/search?l=mid&q=20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
doc/openvpn.8 | 13 +++++++++++++
src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++---
2 files changed, 43 insertions(+), 3 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 598d5fce5..7f773b695 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or
client\-connect), then
every module and script must return success (0) in order for
the connection to be authenticated.
+
+.INDENT 7.0
+.TP
+.B \fBWARNING\fP:
+Plug\-ins may do deferred execution, meaning the plug\-in will
+return the control back to the main OpenVPN process and provide
+the plug\-in result later on via a different thread or process.
+OpenVPN does \fBNOT\fP support multiple authentication plug\-ins
+\fBwhere more than one plugin\fP tries to do deferred authentication.
+If this behaviour is detected, OpenVPN will shut down upon first
+authentication.
+.UNINDENT
+.UNINDENT
.\"*********************************************************
.TP
.B \-\-keying\-material\-exporter label len
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 0ab99ab5c..5ba1c2470 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl,
const int n = plugin_n(pl);
bool success = false;
bool error = false;
- bool deferred = false;
+ bool deferred_auth_done = false;
setenv_del(es, "script_type");
envp = make_env_array(es, false, &gc);
@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl,
break;
case OPENVPN_PLUGIN_FUNC_DEFERRED:
- deferred = true;
+ if ((type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ && deferred_auth_done)
+ {
+ /*
+ * Do not allow deferred auth if a deferred auth has
+ * already been started. This should allow a single
+ * deferred auth call to happen, with one or more
+ * auth calls with an instant authentication result.
+ *
+ * The plug-in API is not designed for multiple
+ * deferred authentications to happen, as the
+ * auth_control_file file will be shared across all
+ * the plug-ins.
+ *
+ * Since this is considered a critical configuration
+ * error, we bail out and exit the OpenVPN process.
+ */
+ error = true;
+ msg(M_FATAL,
+ "Exiting due to multiple authentication plug-ins "
+ "performing deferred authentication. Only one "
+ "authentication plug-in doing deferred auth is "
+ "allowed. Ignoring the result and stopping now, "
+ "the current authentication result is not to be "
+ "trusted.");
+ break;
+ }
+ deferred_auth_done = true;
break;
default:
@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl,
{
return OPENVPN_PLUGIN_FUNC_ERROR;
}
- else if (deferred)
+ else if (deferred_auth_done)
{
return OPENVPN_PLUGIN_FUNC_DEFERRED;
}

118
CVE-2024-28882.patch Normal file
View File

@ -0,0 +1,118 @@
From 65fb67cd6c320a426567b2922c4282fb8738ba3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk>
Date: Thu, 16 May 2024 13:58:08 +0200
Subject: [PATCH] Only schedule_exit() once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If an exit has already been scheduled we should not schedule it again.
Otherwise, the exit signal is never emitted if the peer reschedules the
exit before the timeout occurs.
schedule_exit() now only takes the context as argument. The signal is
hard coded to SIGTERM, and the interval is read directly from the
context options.
Furthermore, schedule_exit() now returns a bool signifying whether an
exit was scheduled; false if exit is already scheduled. The call sites
are updated accordingly. A notable difference is that management is only
notified *once* when an exit is scheduled - we no longer notify
management on redundant exit.
This patch was assigned a CVE number after already reviewed and ACKed,
because it was discovered that a misbehaving client can use the (now
fixed) server behaviour to avoid being disconnected by means of a
managment interface "client-kill" command - the security issue here is
"client can circumvent security policy set by management interface".
This only affects previously authenticated clients, and only management
client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
affected.
CVE: 2024-28882
Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661
Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240516120434.23499-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 55bb3260c12bae33b6a8eac73cbb6972f8517411)
---
src/openvpn/forward.c | 15 +++++++++++----
src/openvpn/forward.h | 2 +-
src/openvpn/push.c | 4 +---
3 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 65f790f..ec834c3 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -361,17 +361,24 @@ check_server_poll_timeout_dowork(struct context *c)
}
/*
- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
*/
-void
-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
{
+ const int n_seconds = c->options.scheduled_exit_interval;
+ /* don't reschedule if already scheduled. */
+ if (event_timeout_defined(&c->c2.scheduled_exit))
+ {
+ return false;
+ }
tls_set_single_session(c->c2.tls_multi);
update_time();
reset_coarse_timers(c);
event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
- c->c2.scheduled_exit_signal = signal;
+ c->c2.scheduled_exit_signal = SIGTERM;
msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+ return true;
}
/*
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index 924cc5e..a39b563 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -258,7 +258,7 @@ bool send_control_channel_string(struct context *c, const char *str, int msgleve
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
#if P2MP
-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);
#endif
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index fcdd76b..428c348 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -212,8 +212,6 @@ send_auth_failed(struct context *c, const char *client_reason)
static const char auth_failed[] = "AUTH_FAILED";
size_t len;
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
-
len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
if (len > PUSH_BUNDLE_SIZE)
{
@@ -239,7 +237,7 @@ send_auth_failed(struct context *c, const char *client_reason)
void
send_restart(struct context *c, const char *kill_msg)
{
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+ schedule_exit(c);
send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
}
--
2.33.0

314
CVE-2024-5594.patch Normal file
View File

@ -0,0 +1,314 @@
Backport of:
From 90e7a858e5594d9a019ad2b4ac6154124986291a Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Mon, 27 May 2024 15:02:41 +0200
Subject: [PATCH] Properly handle null bytes and invalid characters in control
messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This makes OpenVPN more picky in accepting control message in two aspects:
- Characters are checked in the whole buffer and not until the first
NUL byte
- if the message contains invalid characters, we no longer continue
evaluating a fixed up version of the message but rather stop
processing it completely.
Previously it was possible to get invalid characters to end up in log
files or on a terminal.
This also prepares the logic a bit in the direction of having a proper
framing of control messages separated by null bytes instead of relying
on the TLS framing for that. All OpenVPN implementations write the 0
bytes between control commands.
This patch also include several improvement suggestion from Reynir
(thanks!).
CVE: 2024-5594
Reported-By: Reynir Björnsson <reynir@reynir.dk>
Change-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240619103004.56460-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 414f428fa29694090ec4c46b10a8aba419c85659)
---
src/openvpn/buffer.c | 17 ++++
src/openvpn/buffer.h | 11 +++
src/openvpn/forward.c | 121 ++++++++++++++++---------
tests/unit_tests/openvpn/test_buffer.c | 109 ++++++++++++++++++++++
4 files changed, 215 insertions(+), 43 deletions(-)
--- a/src/openvpn/buffer.c
+++ b/src/openvpn/buffer.c
@@ -1046,6 +1046,23 @@ string_mod(char *str, const unsigned int
return ret;
}
+bool
+string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive)
+{
+ ASSERT(buf);
+
+ for (int i = 0; i < BLEN(buf); i++)
+ {
+ char c = BSTR(buf)[i];
+
+ if (!char_inc_exc(c, inclusive, exclusive))
+ {
+ return false;
+ }
+ }
+ return true;
+}
+
const char *
string_mod_const(const char *str,
const unsigned int inclusive,
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -916,6 +916,17 @@ bool string_class(const char *str, const
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace);
+/**
+ * Check a buffer if it only consists of allowed characters.
+ *
+ * @param buf The buffer to be checked.
+ * @param inclusive The character classes that are allowed.
+ * @param exclusive Character classes that are not allowed even if they are also in inclusive.
+ * @return True if the string consists only of allowed characters, false otherwise.
+ */
+bool
+string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive);
+
const char *string_mod_const(const char *str,
const unsigned int inclusive,
const unsigned int exclusive,
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -135,6 +135,31 @@ check_tls_errors_nco(struct context *c)
#if P2MP
+static void
+parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
+{
+ if (buf_string_match_head_str(buf, "AUTH_FAILED"))
+ {
+ receive_auth_failed(c, buf);
+ }
+ else if (buf_string_match_head_str(buf, "PUSH_"))
+ {
+ incoming_push_message(c, buf);
+ }
+ else if (buf_string_match_head_str(buf, "RESTART"))
+ {
+ server_pushed_signal(c, buf, true, 7);
+ }
+ else if (buf_string_match_head_str(buf, "HALT"))
+ {
+ server_pushed_signal(c, buf, false, 4);
+ }
+ else
+ {
+ msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf));
+ }
+}
+
/*
* Handle incoming configuration
* messages on the control channel.
@@ -149,31 +174,40 @@ check_incoming_control_channel_dowork(st
struct buffer buf = alloc_buf_gc(len, &gc);
if (tls_rec_payload(c->c2.tls_multi, &buf))
{
- /* force null termination of message */
- buf_null_terminate(&buf);
-
- /* enforce character class restrictions */
- string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
+ while (BLEN(&buf) > 1)
+ {
+ /* commands on the control channel are seperated by 0x00 bytes.
+ * cmdlen does not include the 0 byte of the string */
+ int cmdlen = (int)strnlen(BSTR(&buf), BLEN(&buf));
- if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
+ if (cmdlen < BLEN(&buf))
{
- receive_auth_failed(c, &buf);
- }
- else if (buf_string_match_head_str(&buf, "PUSH_"))
- {
- incoming_push_message(c, &buf);
- }
- else if (buf_string_match_head_str(&buf, "RESTART"))
- {
- server_pushed_signal(c, &buf, true, 7);
- }
- else if (buf_string_match_head_str(&buf, "HALT"))
- {
- server_pushed_signal(c, &buf, false, 4);
+ /* include the NUL byte and ensure NUL termination */
+ int cmdlen = (int)strlen(BSTR(&buf)) + 1;
+
+ /* Construct a buffer that only holds the current command and
+ * its closing NUL byte */
+ struct buffer cmdbuf = alloc_buf_gc(cmdlen, &gc);
+ buf_write(&cmdbuf, BPTR(&buf), cmdlen);
+
+ /* check we have only printable characters or null byte in the
+ * command string and no newlines */
+ if (!string_check_buf(&buf, CC_PRINT | CC_NULL, CC_CRLF))
+ {
+ msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s",
+ format_hex(BPTR(&buf), BLEN(&buf), 256, &gc));
+ }
+ else
+ {
+ parse_incoming_control_channel_command(c, &cmdbuf);
+ }
}
else
{
- msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
+ msg(D_PUSH_ERRORS, "WARNING: Ignoring control channel "
+ "message command without NUL termination");
+ }
+ buf_advance(&buf, cmdlen);
}
}
else
--- a/tests/unit_tests/openvpn/test_buffer.c
+++ b/tests/unit_tests/openvpn/test_buffer.c
@@ -197,6 +197,113 @@ test_buffer_list_aggregate_separator_emp
assert_int_equal(BLEN(buf), 0);
}
+static void
+test_character_class(void **state)
+{
+ char buf[256];
+ strcpy(buf, "There is \x01 a nice 1234 year old tr\x7f ee!");
+ assert_false(string_mod(buf, CC_PRINT, 0, '@'));
+ assert_string_equal(buf, "There is @ a nice 1234 year old tr@ ee!");
+
+ strcpy(buf, "There is \x01 a nice 1234 year old tr\x7f ee!");
+ assert_true(string_mod(buf, CC_ANY, 0, '@'));
+ assert_string_equal(buf, "There is \x01 a nice 1234 year old tr\x7f ee!");
+
+ /* 0 as replace removes characters */
+ strcpy(buf, "There is \x01 a nice 1234 year old tr\x7f ee!");
+ assert_false(string_mod(buf, CC_PRINT, 0, '\0'));
+ assert_string_equal(buf, "There is a nice 1234 year old tr ee!");
+
+ strcpy(buf, "There is \x01 a nice 1234 year old tr\x7f ee!");
+ assert_false(string_mod(buf, CC_PRINT, CC_DIGIT, '@'));
+ assert_string_equal(buf, "There is @ a nice @@@@ year old tr@ ee!");
+
+ strcpy(buf, "There is \x01 a nice 1234 year old tr\x7f ee!");
+ assert_false(string_mod(buf, CC_ALPHA, CC_DIGIT, '.'));
+ assert_string_equal(buf, "There.is...a.nice......year.old.tr..ee.");
+
+ strcpy(buf, "There is \x01 a 'nice' \"1234\"\n year old \ntr\x7f ee!");
+ assert_false(string_mod(buf, CC_ALPHA|CC_DIGIT|CC_NEWLINE|CC_SINGLE_QUOTE, CC_DOUBLE_QUOTE|CC_BLANK, '.'));
+ assert_string_equal(buf, "There.is...a.'nice'..1234.\n.year.old.\ntr..ee.");
+
+ strcpy(buf, "There is a \\'nice\\' \"1234\" [*] year old \ntree!");
+ assert_false(string_mod(buf, CC_PRINT, CC_BACKSLASH|CC_ASTERISK, '.'));
+ assert_string_equal(buf, "There is a .'nice.' \"1234\" [.] year old .tree!");
+}
+
+
+static void
+test_character_string_mod_buf(void **state)
+{
+ struct gc_arena gc = gc_new();
+
+ struct buffer buf = alloc_buf_gc(1024, &gc);
+
+ const char test1[] = "There is a nice 1234\x00 year old tree!";
+ buf_write(&buf, test1, sizeof(test1));
+
+ /* allow the null bytes and string but not the ! */
+ assert_false(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, 0));
+
+ /* remove final ! and null byte to pass */
+ buf_inc_len(&buf, -2);
+ assert_true(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, 0));
+
+ /* Check excluding digits works */
+ assert_false(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, CC_DIGIT));
+ gc_free(&gc);
+}
+
+static void
+test_snprintf(void **state)
+{
+ /* we used to have a custom openvpn_snprintf function because some
+ * OS (the comment did not specify which) did not always put the
+ * null byte there. So we unit test this to be sure.
+ *
+ * This probably refers to the MSVC behaviour, see also
+ * https://stackoverflow.com/questions/7706936/is-snprintf-always-null-terminating
+ */
+
+ /* Instead of trying to trick the compiler here, disable the warnings
+ * for this unit test. We know that the results will be truncated
+ * and we want to test that */
+#if defined(__GNUC__)
+/* some clang version do not understand -Wformat-truncation, so ignore the
+ * warning to avoid warnings/errors (-Werror) about unknown pragma/option */
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunknown-warning-option"
+#endif
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+#endif
+
+ char buf[10] = { 'a' };
+ int ret = 0;
+
+ ret = snprintf(buf, sizeof(buf), "0123456789abcde");
+ assert_int_equal(ret, 15);
+ assert_int_equal(buf[9], '\0');
+
+ memset(buf, 'b', sizeof(buf));
+ ret = snprintf(buf, sizeof(buf), "- %d - %d -", 77, 88);
+ assert_int_equal(ret, 11);
+ assert_int_equal(buf[9], '\0');
+
+ memset(buf, 'c', sizeof(buf));
+ ret = snprintf(buf, sizeof(buf), "- %8.2f", 77.8899);
+ assert_int_equal(ret, 10);
+ assert_int_equal(buf[9], '\0');
+
+#if defined(__GNUC__)
+#pragma GCC diagnostic pop
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#endif
+#endif
+}
+
int
main(void)
{
@@ -226,6 +333,9 @@ main(void)
cmocka_unit_test_setup_teardown(test_buffer_list_aggregate_separator_emptybuffers,
test_buffer_list_setup,
test_buffer_list_teardown),
+ cmocka_unit_test(test_character_class),
+ cmocka_unit_test(test_character_string_mod_buf),
+ cmocka_unit_test(test_snprintf)
};
return cmocka_run_group_tests_name("buffer", tests, NULL, NULL);

1617
backport-update-sample-keys.patch Normal file
View File

File diff suppressed because it is too large Load Diff

27
openvpn.spec
View File

@ -1,11 +1,17 @@
Name: openvpn
Version: 2.4.8
Release: 6
Release: 11
Summary: A full-featured open source SSL VPN solution
License: GPLv2 and OpenSSL and SSLeay
URL: https://community.openvpn.net/openvpn
Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
Patch0000: CVE-2020-11810.patch
Patch0001: CVE-2020-15078.patch
# https://github.com/OpenVPN/openvpn/commit/58ec3bb
Patch0002: CVE-2022-0547.patch
Patch0003: CVE-2024-28882.patch
Patch0004: CVE-2024-5594.patch
Patch0005: backport-update-sample-keys.patch
BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel
BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
@ -37,9 +43,7 @@ User guide and other related documents for %{name}.
%prep
%setup -q -n %{name}-%{version}
%patch00000 -p1
%autosetup -n %{name}-%{version} -p1 -S git
%build
%configure --enable-x509-alt-username --enable-iproute2 --with-crypto-library=openssl --enable-pkcs11 --enable-selinux --enable-systemd SYSTEMD_UNIT_DIR=%{_unitdir} TMPFILES_DIR=%{_tmpfilesdir} IPROUTE=/sbin/ip
@ -126,6 +130,21 @@ fi
%{_mandir}/man8/%{name}.8*
%changelog
* Wed Nov 06 2024 liningjie <liningjie@xfusion.com> - 2.4.8-11
- update sample-keys
* Sat Jul 20 2024 Funda Wang <fundawang@yeah.net> - 2.4.8-10
- Fix CVE-2024-5594
* Tue Jul 09 2024 zhangxianting <zhangxianting@uniontech.com> - 2.4.8-9
- Fix CVE-2024-28882
* Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.4.8-8
- Fix CVE-2022-0547
* Tue May 25 2021 wangyue <wangyue92@huawei.com> - 2.4.8-7
- fix CVE-2020-15078
* Wed Feb 10 2021 wangyue <wangyue92@huawei.com> 2.4.8-6
- Fix CVE-2020-11810