deleted file mode 100644
@@ -1,49 +0,0 @@
-From 2c1de0f0803360c0a6408f754066bd3a6fb28237 Mon Sep 17 00:00:00 2001
-From: Lev Stipakov <lstipakov@gmail.com>
-Date: Tue, 19 Mar 2024 17:16:07 +0200
-Subject: [PATCH] interactive.c: disable remote access to the service pipe
-
-Remote access to the service pipe is not needed and might
-be a potential attack vector.
-
-For example, if an attacker manages to get credentials for
-a user which is the member of "OpenVPN Administrators" group
-on a victim machine, an attacker might be able to communicate
-with the privileged interactive service on a victim machine
-and start openvpn processes remotely.
-
-CVE: 2024-24974
-
-Microsoft case number: 85925
-
-Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
-Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277
-Signed-off-by: Lev Stipakov <lev@openvpn.net>
-Acked-by: Heiko Hund <heiko@openvpn.net>
-Message-Id: <20240319151723.936-2-lev@openvpn.net>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28419.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
-
-CVE:CVE-2024-24974
-Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/2c1de0f0803360c0a6408f754066bd3a6fb28237]
-
-Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
----
- src/openvpnserv/interactive.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
-index 3b120ae..5e3ff12 100644
---- a/src/openvpnserv/interactive.c
-+++ b/src/openvpnserv/interactive.c
-@@ -1994,7 +1994,7 @@ CreateClientPipeInstance(VOID)
-
- openvpn_sntprintf(pipe_name, _countof(pipe_name), TEXT("\\\\.\\pipe\\" PACKAGE "%s\\service"), service_instance);
- pipe = CreateNamedPipe(pipe_name, flags,
-- PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE,
-+ PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_REJECT_REMOTE_CLIENTS,
- PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
- if (pipe == INVALID_HANDLE_VALUE)
- {
---
-2.40.0
deleted file mode 100644
@@ -1,99 +0,0 @@
-From 989b22cb6e007fd1addcfaf7d12f4fec9fbc9639 Mon Sep 17 00:00:00 2001
-From: Lev Stipakov <lstipakov@gmail.com>
-Date: Tue, 19 Mar 2024 17:27:11 +0200
-Subject: [PATCH] interactive.c: Fix potential stack overflow issue
-When reading message from the pipe, we first peek the pipe to get the size
-of the message waiting to be read and then read the message. A compromised
-OpenVPN process could send an excessively large message, which would result
-in a stack-allocated message buffer overflow.
-
-To address this, we terminate the misbehaving process if the peeked message
-size exceeds the maximum allowable size.
-
-CVE: 2024-27459
-Microsoft case number: 85932
-
-Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
-Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada
-Signed-off-by: Lev Stipakov <lev@openvpn.net>
-Acked-by: Heiko Hund <heiko@openvpn.net>
-Message-Id: <20240319152803.1801-2-lev@openvpn.net>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28420.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
-
-CVE:CVE-2024-27459
-Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/989b22cb6e007fd1addcfaf7d12f4fec9fbc9639]
-
-Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
----
- src/openvpnserv/interactive.c | 34 +++++++++++++++++++++-------------
- 1 file changed, 21 insertions(+), 13 deletions(-)
-
-diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
-index 5e3ff12..f613b99 100644
---- a/src/openvpnserv/interactive.c
-+++ b/src/openvpnserv/interactive.c
-@@ -111,6 +111,18 @@ typedef struct {
- HANDLE device;
- } ring_buffer_handles_t;
-
-+typedef union {
-+ message_header_t header;
-+ address_message_t address;
-+ route_message_t route;
-+ flush_neighbors_message_t flush_neighbors;
-+ block_dns_message_t block_dns;
-+ dns_cfg_message_t dns;
-+ enable_dhcp_message_t dhcp;
-+ register_ring_buffers_message_t rrb;
-+ set_mtu_message_t mtu;
-+ wins_cfg_message_t wins;
-+} pipe_message_t;
-
- static DWORD
- AddListItem(list_item_t **pfirst, LPVOID data)
-@@ -1444,18 +1456,7 @@ static VOID
- HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_handles,
- DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists)
- {
-- DWORD read;
-- union {
-- message_header_t header;
-- address_message_t address;
-- route_message_t route;
-- flush_neighbors_message_t flush_neighbors;
-- block_dns_message_t block_dns;
-- dns_cfg_message_t dns;
-- enable_dhcp_message_t dhcp;
-- register_ring_buffers_message_t rrb;
-- set_mtu_message_t mtu;
-- } msg;
-+ pipe_message_t msg;
- ack_message_t ack = {
- .header = {
- .type = msg_acknowledgement,
-@@ -1465,7 +1466,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_
- .error_number = ERROR_MESSAGE_DATA
- };
-
-- read = ReadPipeAsync(pipe, &msg, bytes, count, events);
-+ DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events);
- if (read != bytes || read < sizeof(msg.header) || read != msg.header.size)
- {
- goto out;
-@@ -1884,6 +1885,13 @@ RunOpenvpn(LPVOID p)
- break;
- }
-
-+ if (bytes > sizeof(pipe_message_t))
-+ {
-+ /* process at the other side of the pipe is misbehaving, shut it down */
-+ MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes);
-+ break;
-+ }
-+
- HandleMessage(ovpn_pipe, proc_info.hProcess, &ring_buffer_handles, bytes, 1, &exit_event, &undo_lists);
- }
-
---
-2.40.0
deleted file mode 100644
@@ -1,119 +0,0 @@
-From aaea545d8a940f761898d736b68bcb067d503b1d Mon Sep 17 00:00:00 2001
-From: Lev Stipakov <lstipakov@gmail.com>
-Date: Tue, 19 Mar 2024 15:53:45 +0200
-Subject: [PATCH] win32: Enforce loading of plugins from a trusted directory
-
-Currently, there's a risk associated with allowing plugins to be loaded from
-any location. This update ensures plugins are only loaded from a trusted
-directory, which is either:
-
- - HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing,
- then HKLM\SOFTWARE\OpenVPN, which is installation directory)
-
- - System directory
-
-Loading from UNC paths is disallowed.
-
-Note: This change affects only Windows environments.
-
-CVE: 2024-27903
-
-Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d
-Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
-Signed-off-by: Lev Stipakov <lev@openvpn.net>
-Acked-by: Selva Nair <selva.nair@gmail.com>
-Message-Id: <20240319135355.1279-2-lev@openvpn.net>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
-
-CVE:CVE-2024-27903
-Upstream-Status: Backport [https://github.com/OpenVPN/openvpn/commit/aaea545d8a940f761898d736b68bcb067d503b1d]
-
-Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
----
- src/openvpn/plugin.c | 18 +++++++++++++++---
- src/openvpn/win32.c | 21 +++++++++------------
- 2 files changed, 24 insertions(+), 15 deletions(-)
-
-diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
-index ed5d7c0..f7315f4 100644
---- a/src/openvpn/plugin.c
-+++ b/src/openvpn/plugin.c
-@@ -279,11 +279,23 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o)
-
- #else /* ifndef _WIN32 */
-
-- rel = !platform_absolute_pathname(p->so_pathname);
-- p->module = LoadLibraryW(wide_string(p->so_pathname, &gc));
-+ WCHAR *wpath = wide_string(p->so_pathname, &gc);
-+ WCHAR normalized_plugin_path[MAX_PATH] = {0};
-+ /* Normalize the plugin path, converting any relative paths to absolute paths. */
-+ if (!GetFullPathNameW(wpath, MAX_PATH, normalized_plugin_path, NULL))
-+ {
-+ msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls. Failed to normalize plugin path.", wpath);
-+ }
-+
-+ if (!plugin_in_trusted_dir(normalized_plugin_path))
-+ {
-+ msg(M_FATAL, "PLUGIN_INIT: could not load plugin DLL: %ls. The DLL is not in a trusted directory.", normalized_plugin_path);
-+ }
-+
-+ p->module = LoadLibraryW(normalized_plugin_path);
- if (!p->module)
- {
-- msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %s", p->so_pathname);
-+ msg(M_ERR, "PLUGIN_INIT: could not load plugin DLL: %ls", normalized_plugin_path);
- }
-
- #define PLUGIN_SYM(var, name, flags) dll_resolve_symbol(p->module, (void *)&p->var, name, p->so_pathname, flags)
-diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
-index e91e742..1e61ffa 100644
---- a/src/openvpn/win32.c
-+++ b/src/openvpn/win32.c
-@@ -1532,27 +1532,24 @@ openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const for
- return (len >= 0 && len < size);
- }
-
--static BOOL
--get_install_path(WCHAR *path, DWORD size)
-+bool
-+get_openvpn_reg_value(const WCHAR *key, WCHAR *value, DWORD size)
- {
- WCHAR reg_path[256];
-- HKEY key;
-- BOOL res = FALSE;
-+ HKEY hkey;
- openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME);
-
-- LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key);
-+ LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &hkey);
- if (status != ERROR_SUCCESS)
- {
-- return res;
-+ return false;
- }
-
-- /* The default value of REG_KEY is the install path */
-- status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size);
-- res = status == ERROR_SUCCESS;
-+ status = RegGetValueW(hkey, NULL, key, RRF_RT_REG_SZ, NULL, (LPBYTE)value, &size);
-
-- RegCloseKey(key);
-+ RegCloseKey(hkey);
-
-- return res;
-+ return status == ERROR_SUCCESS;
- }
-
- static void
-@@ -1561,7 +1558,7 @@ set_openssl_env_vars()
- const WCHAR *ssl_fallback_dir = L"C:\\Windows\\System32";
-
- WCHAR install_path[MAX_PATH] = { 0 };
-- if (!get_install_path(install_path, _countof(install_path)))
-+ if (!get_openvpn_reg_value(NULL, install_path, _countof(install_path)))
- {
- /* if we cannot find installation path from the registry,
- * use Windows directory as a fallback
---
-2.40.0
similarity index 92%
rename from meta-networking/recipes-support/openvpn/openvpn_2.5.6.bb
rename to meta-networking/recipes-support/openvpn/openvpn_2.5.11.bb
@@ -2,7 +2,7 @@ SUMMARY = "A full-featured SSL VPN solution via tun device."
HOMEPAGE = "https://openvpn.net/"
SECTION = "net"
LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89"
+LIC_FILES_CHKSUM = "file://COPYING;md5=132de9241e3147d49dbaead12acb0b22"
DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
inherit autotools systemd update-rc.d
@@ -11,14 +11,11 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
file://openvpn \
file://openvpn@.service \
file://openvpn-volatile.conf \
- file://CVE-2024-24974.patch \
- file://CVE-2024-27459.patch \
- file://CVE-2024-27903.patch \
"
UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
-SRC_URI[sha256sum] = "333a7ef3d5b317968aca2c77bdc29aa7c6d6bb3316eb3f79743b59c53242ad3d"
+SRC_URI[sha256sum] = "7e2672119bd4639819d560f332a8b9b7e28f562425c77899f36d419fe4265f56"
# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"