Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 938533 (CVE-2024-28882, CVE-2024-5594) - <net-vpn/openvpn-2.6.12: multiple vulnerabilities
Summary: <net-vpn/openvpn-2.6.12: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2024-28882, CVE-2024-5594
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable?]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2024-08-26 17:36 UTC by gentoobugs
Modified: 2024-12-08 14:43 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description gentoobugs 2024-08-26 17:36:46 UTC
From 2.6.11 release notes:
"""
CVE-2024-4877: Windows: harden interactive service pipe.
Security scope: a malicious process with "some" elevated privileges
(SeImpersonatePrivilege) could open the pipe a second time, tricking
openvn GUI into providing user credentials (tokens), getting full
access to the account openvpn-gui.exe runs as.
(Zeze with TeamT5)

CVE-2024-5594: control channel: refuse control channel messages with
nonprintable characters in them. Security scope: a malicious openvpn
peer can send garbage to openvpn log, or cause high CPU load.
(Reynir Björnsson)

CVE-2024-28882: only call schedule_exit() once (on a given peer).
Security scope: an authenticated client can make the server "keep the
session" even when the server has been told to disconnect this client
(Reynir Björnsson)
"""

There are also several Windows vulnerabilities in 2.6.10.

2.6.12 resolves a problem with the fix for CVE-2024-5594:
"""
the fix for CVE-2024-5594 (refuse control channel messages with
nonprintable characters) was too strict, breaking user configurations
with AUTH_FAIL messages having trailing CR/NL characters. This often
happens if the AUTH_FAIL reason is set by a script. Strip those before
testing the command buffer (github: #568). Also, add unit test.
""" 

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2024-12-01 12:42:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=314bc94029d37d3ad6ed566d1a46b7b4711cc426

commit 314bc94029d37d3ad6ed566d1a46b7b4711cc426
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-10-15 19:44:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-12-01 12:42:22 +0000

    net-vpn/openvpn: add 2.6.12, security bump
    
    - Tests pass
    
    Bug: https://bugs.gentoo.org/938533
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/39004
    Signed-off-by: Sam James <sam@gentoo.org>

 net-vpn/openvpn/Manifest              |   1 +
 net-vpn/openvpn/openvpn-2.6.12.ebuild | 199 ++++++++++++++++++++++++++++++++++
 2 files changed, 200 insertions(+)