Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 938533 (CVE-2024-28882, CVE-2024-5594)

Summary: <net-vpn/openvpn-2.6.12: multiple vulnerabilities
Product: Gentoo Security Reporter: gentoobugs
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: chutzpah, gentoobugs, pacho, williamh
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/39004
Whiteboard: B3 [stable?]
Package list:
Runtime testing required: ---

Description gentoobugs 2024-08-26 17:36:46 UTC
From 2.6.11 release notes:
"""
CVE-2024-4877: Windows: harden interactive service pipe.
Security scope: a malicious process with "some" elevated privileges
(SeImpersonatePrivilege) could open the pipe a second time, tricking
openvn GUI into providing user credentials (tokens), getting full
access to the account openvpn-gui.exe runs as.
(Zeze with TeamT5)

CVE-2024-5594: control channel: refuse control channel messages with
nonprintable characters in them. Security scope: a malicious openvpn
peer can send garbage to openvpn log, or cause high CPU load.
(Reynir Björnsson)

CVE-2024-28882: only call schedule_exit() once (on a given peer).
Security scope: an authenticated client can make the server "keep the
session" even when the server has been told to disconnect this client
(Reynir Björnsson)
"""

There are also several Windows vulnerabilities in 2.6.10.

2.6.12 resolves a problem with the fix for CVE-2024-5594:
"""
the fix for CVE-2024-5594 (refuse control channel messages with
nonprintable characters) was too strict, breaking user configurations
with AUTH_FAIL messages having trailing CR/NL characters. This often
happens if the AUTH_FAIL reason is set by a script. Strip those before
testing the command buffer (github: #568). Also, add unit test.
""" 

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2024-12-01 12:42:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=314bc94029d37d3ad6ed566d1a46b7b4711cc426

commit 314bc94029d37d3ad6ed566d1a46b7b4711cc426
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-10-15 19:44:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-12-01 12:42:22 +0000

    net-vpn/openvpn: add 2.6.12, security bump
    
    - Tests pass
    
    Bug: https://bugs.gentoo.org/938533
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/39004
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/openvpn/Manifest              |   1 +
 net-vpn/openvpn/openvpn-2.6.12.ebuild | 199 ++++++++++++++++++++++++++++++++++
 2 files changed, 200 insertions(+)