Re: SECURITY UPDATE: net/openvpn 2.4.3

Wed, 21 Jun 2017 04:55:03 -0700 

Paul Irofti <p...@irofti.net> writes:

> The following fixes 4 remote holes. OK? :)

Nope, please don't blindly delete patches that don't apply. ;)

My take:


Index: Makefile
===================================================================
RCS file: /d/cvs/ports/net/openvpn/Makefile,v
retrieving revision 1.78
diff -u -p -r1.78 Makefile
--- Makefile    11 Jun 2017 12:15:50 -0000      1.78
+++ Makefile    21 Jun 2017 11:50:44 -0000
@@ -2,8 +2,7 @@
 
 COMMENT=       easy-to-use, robust, and highly configurable VPN
 
-DISTNAME=      openvpn-2.4.2
-REVISION=      2
+DISTNAME=      openvpn-2.4.3
 CATEGORIES=    net security
 
 HOMEPAGE=      https://openvpn.net/index.php/open-source/
Index: distinfo
===================================================================
RCS file: /d/cvs/ports/net/openvpn/distinfo,v
retrieving revision 1.37
diff -u -p -r1.37 distinfo
--- distinfo    14 May 2017 16:43:33 -0000      1.37
+++ distinfo    21 Jun 2017 11:50:44 -0000
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.4.2.tar.gz) = skdAydRKgeryvvxIRtUURaUgEEMh4yqvDBNe0uCYpiQ=
-SIZE (openvpn-2.4.2.tar.gz) = 1402516
+SHA256 (openvpn-2.4.3.tar.gz) = hKAao98MEqNVLKO6qjnXABN7W85LbeaD/of7eb+l3ws=
+SIZE (openvpn-2.4.3.tar.gz) = 1397306
Index: patches/patch-configure
===================================================================
RCS file: /d/cvs/ports/net/openvpn/patches/patch-configure,v
retrieving revision 1.16
diff -u -p -r1.16 patch-configure
--- patches/patch-configure     14 May 2017 16:43:33 -0000      1.16
+++ patches/patch-configure     21 Jun 2017 11:50:44 -0000
@@ -2,7 +2,7 @@ $OpenBSD: patch-configure,v 1.16 2017/05
 Index: configure
 --- configure.orig
 +++ configure
-@@ -17187,7 +17187,7 @@ else
+@@ -17318,7 +17318,7 @@ else
  fi
  
  
Index: patches/patch-include_openvpn-plugin_h_in
===================================================================
RCS file: patches/patch-include_openvpn-plugin_h_in
diff -N patches/patch-include_openvpn-plugin_h_in
--- patches/patch-include_openvpn-plugin_h_in   15 May 2017 14:30:56 -0000      
1.1
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-include_openvpn-plugin_h_in,v 1.1 2017/05/15 14:30:56 jca Exp $
-
-Include stddef.h for size_t.
-
-Index: include/openvpn-plugin.h.in
---- include/openvpn-plugin.h.in.orig
-+++ include/openvpn-plugin.h.in
-@@ -44,6 +44,7 @@ typedef X509 openvpn_x509_cert_t;
- #endif
- 
- #include <stdarg.h>
-+#include <stddef.h>
- 
- #ifdef __cplusplus
- extern "C" {
Index: patches/patch-src_openvpn_route_c
===================================================================
RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_route_c,v
retrieving revision 1.10
diff -u -p -r1.10 patch-src_openvpn_route_c
--- patches/patch-src_openvpn_route_c   11 Jun 2017 12:15:50 -0000      1.10
+++ patches/patch-src_openvpn_route_c   21 Jun 2017 11:50:44 -0000
@@ -2,12 +2,10 @@ $OpenBSD: patch-src_openvpn_route_c,v 1.
 
 - add support for on-link routes
 
-- add support for non-0 routing tables
-  
https://github.com/OpenVPN/openvpn/commit/3dd30bfe5fdf9f34afe7f847b4e30156982d9ff0
-
---- src/openvpn/route.c.orig   Thu Mar 23 02:34:21 2017
-+++ src/openvpn/route.c        Wed Apr 12 18:06:40 2017
-@@ -1778,12 +1778,17 @@ add_route(struct route_ipv4 *r,
+Index: src/openvpn/route.c
+--- src/openvpn/route.c.orig
++++ src/openvpn/route.c
+@@ -1777,12 +1777,17 @@ add_route(struct route_ipv4 *r,
      }
  #endif
  
@@ -28,23 +26,3 @@ $OpenBSD: patch-src_openvpn_route_c,v 1.
  
      argv_msg(D_ROUTE, &argv);
      status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route 
add command failed");
-@@ -3597,6 +3602,9 @@ get_default_gateway(struct route_gateway_info *rgi)
-     rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
-     rtm.rtm_version = RTM_VERSION;
-     rtm.rtm_seq = ++seq;
-+#ifdef TARGET_OPENBSD
-+    rtm.rtm_tableid = getrtable();
-+#endif
-     rtm.rtm_addrs = rtm_addrs;
- 
-     so_dst.sa_family = AF_INET;
-@@ -3812,6 +3820,9 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_inf
-     rtm.rtm_flags = RTF_UP;
-     rtm.rtm_version = RTM_VERSION;
-     rtm.rtm_seq = ++seq;
-+#ifdef TARGET_OPENBSD
-+    rtm.rtm_tableid = getrtable();
-+#endif
- 
-     so_dst.sin6_family = AF_INET6;
-     so_mask.sin6_family = AF_INET6;
Index: patches/patch-src_openvpn_syshead_h
===================================================================
RCS file: patches/patch-src_openvpn_syshead_h
diff -N patches/patch-src_openvpn_syshead_h
--- patches/patch-src_openvpn_syshead_h 11 Jun 2017 12:15:50 -0000      1.4
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,18 +0,0 @@
-$OpenBSD: patch-src_openvpn_syshead_h,v 1.4 2017/06/11 12:15:50 jca Exp $
-
-- missing include
-  
https://github.com/OpenVPN/openvpn/commit/e5b236eaba4512f86da917a0a63dd0f84e1b02db
-
---- src/openvpn/syshead.h.orig Wed Feb 15 11:34:39 2017
-+++ src/openvpn/syshead.h      Wed Feb 15 11:35:49 2017
-@@ -288,6 +288,10 @@
- #include <netinet/ip.h>
- #endif
- 
-+#ifdef HAVE_NETINET_TCP_H
-+#include <netinet/tcp.h>
-+#endif
-+
- #ifdef HAVE_NET_IF_TUN_H
- #include <net/if_tun.h>
- #endif
Index: patches/patch-src_openvpn_tun_c
===================================================================
RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v
retrieving revision 1.14
diff -u -p -r1.14 patch-src_openvpn_tun_c
--- patches/patch-src_openvpn_tun_c     11 Jun 2017 12:15:50 -0000      1.14
+++ patches/patch-src_openvpn_tun_c     21 Jun 2017 11:50:44 -0000
@@ -2,13 +2,10 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.14
 
 - no need for link0 any more, we have separate tap interfaces
 
-- fix bus error in write_tun_header() due to misaligned access
-  
https://github.com/OpenVPN/openvpn/commit/3e4e300d6c5ea9c320e62def79e5b70f8e255248
-
 Index: src/openvpn/tun.c
 --- src/openvpn/tun.c.orig
 +++ src/openvpn/tun.c
-@@ -1201,7 +1201,7 @@ do_ifconfig(struct tuntap *tt,
+@@ -1200,7 +1200,7 @@ do_ifconfig(struct tuntap *tt,
          if (tun)
          {
              argv_printf(&argv,
@@ -17,7 +14,7 @@ Index: src/openvpn/tun.c
                          IFCONFIG_PATH,
                          actual,
                          ifconfig_local,
-@@ -1213,7 +1213,7 @@ do_ifconfig(struct tuntap *tt,
+@@ -1212,7 +1212,7 @@ do_ifconfig(struct tuntap *tt,
          {
              remote_end = create_arbitrary_remote( tt );
              argv_printf(&argv,
@@ -26,7 +23,7 @@ Index: src/openvpn/tun.c
                          IFCONFIG_PATH,
                          actual,
                          ifconfig_local,
-@@ -1224,8 +1224,13 @@ do_ifconfig(struct tuntap *tt,
+@@ -1223,8 +1223,13 @@ do_ifconfig(struct tuntap *tt,
          }
          else
          {
@@ -41,18 +38,3 @@ Index: src/openvpn/tun.c
                          IFCONFIG_PATH,
                          actual,
                          ifconfig_local,
-@@ -1654,11 +1659,11 @@ write_tun_header(struct tuntap *tt, uint8_t *buf, int 
-     {
-         u_int32_t type;
-         struct iovec iv[2];
--        struct ip *iph;
-+        struct openvpn_iphdr *iph;
- 
--        iph = (struct ip *) buf;
-+        iph = (struct openvpn_iphdr *) buf;
- 
--        if (iph->ip_v == 6)
-+        if (OPENVPN_IPH_GET_VER(iph->version_len) == 6)
-         {
-             type = htonl(AF_INET6);
-         }


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply via email to