From 77e79b2dd017c689f25a5a755728888ba3802b6b Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Wed, 27 Sep 2017 19:45:32 +0200 Subject: [PATCH] openvpn: update to 2.4.4 Fixes CVE-2017-12166: out of bounds write in key-method 1. Remove the mirror that was temporarily added during the 2.4.3 release. Signed-off-by: Magnus Kroken (cherry picked from commit a9a37526a9df3b565f5242857d17887cb492afab) --- package/network/services/openvpn/Makefile | 9 +- .../210-build_always_use_internal_lz4.patch | 83 ++++++++++++------- 2 files changed, 58 insertions(+), 34 deletions(-) diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index a1aa196fad..9d8f047613 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,15 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.4.3 -PKG_RELEASE:=2 +PKG_VERSION:=2.4.4 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ - https://swupdate.openvpn.net/community/releases/ \ - http://www.eurephia.net/openvpn/ + https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571 +PKG_HASH:=96cd1b8fe1e8cb2920f07c3fd3985faea756e16fdeebd11d3e146d5bd2b04a80 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_MAINTAINER:=Felix Fietkau diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch index b0fe00df9b..d49e0bf9ec 100644 --- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch +++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch @@ -1,43 +1,68 @@ --- a/configure.ac +++ b/configure.ac -@@ -1076,37 +1076,14 @@ dnl +@@ -1068,62 +1068,15 @@ dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then -- AC_CHECKING([for LZ4 Library and Header files]) -- havelz4lib=1 - +- if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then +- # if the user did not explicitly specify flags, try to autodetect +- PKG_CHECK_MODULES([LZ4], +- [liblz4 >= 1.7.1], +- [have_lz4="yes"], +- [] # If this fails, we will do another test next +- ) +- fi + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" + LIBS="${LIBS} ${LZ4_LIBS}" + +- # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars +- # are used, check the version directly in the LZ4 include file +- if test "${have_lz4}" != "yes"; then +- AC_CHECK_HEADERS([lz4.h], +- [have_lz4h="yes"], +- []) +- +- if test "${have_lz4h}" = "yes" ; then +- AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1]) +- AC_COMPILE_IFELSE( +- [AC_LANG_PROGRAM([[ +-#include +- ]], +- [[ +-/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */ +-#if LZ4_VERSION_NUMBER < 10701L +-#error LZ4 is too old +-#endif +- ]] +- )], +- [ +- AC_MSG_RESULT([ok]) +- have_lz4="yes" +- ], +- [AC_MSG_RESULT([system LZ4 library is too old])] +- ) +- fi +- fi +- - # if LZ4_LIBS is set, we assume it will work, otherwise test - if test -z "${LZ4_LIBS}"; then -- AC_CHECK_LIB(lz4, LZ4_compress, -- [ LZ4_LIBS="-llz4" ], -- [ -- AC_MSG_RESULT([LZ4 library not found.]) -- havelz4lib=0 -- ]) +- AC_CHECK_LIB([lz4], +- [LZ4_compress], +- [LZ4_LIBS="-llz4"], +- [have_lz4="no"]) - fi -+ AC_MSG_RESULT([Using LZ4 library in src/compat/compat-lz4.*]) -+ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) -+ LZ4_LIBS="" - -- saved_CFLAGS="${CFLAGS}" -- CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" -- AC_CHECK_HEADERS(lz4.h, -- , -- [ -- AC_MSG_RESULT([LZ4 headers not found.]) -- havelz4lib=0 -- ]) - -- if test $havelz4lib = 0 ; then -- AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*]) +- if test "${have_lz4}" != "yes" ; then +- AC_MSG_RESULT([ usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*]) - AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) - LZ4_LIBS="" - fi ++ AC_MSG_RESULT([ usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*]) ++ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) ++ LZ4_LIBS="" OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}" OPTIONAL_LZ4_LIBS="${LZ4_LIBS}" - AC_DEFINE(ENABLE_LZ4, 1, [Enable LZ4 compression library]) -- CFLAGS="${saved_CFLAGS}" - fi - - + AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])