Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openfortivpn for openSUSE:Factory checked in at 2022-04-01 21:36:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openfortivpn (Old) and /work/SRC/openSUSE:Factory/.openfortivpn.new.1900 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openfortivpn" Fri Apr 1 21:36:47 2022 rev:20 rq:966430 version:1.17.2 Changes: -------- --- /work/SRC/openSUSE:Factory/openfortivpn/openfortivpn.changes 2022-01-15 00:38:08.237484516 +0100 +++ /work/SRC/openSUSE:Factory/.openfortivpn.new.1900/openfortivpn.changes 2022-04-01 21:38:13.652100930 +0200 @@ -1,0 +2,11 @@ +Thu Mar 31 14:59:12 UTC 2022 - Martin Hauke <mar...@gmx.de> + +- Update to version 1.17.2 + * fix memory leak when reading user input + * improve calls to getsockopt() and associated debug output + * allow reading config from process substitution + * work around CodeQL false positives, improving code at the same + time + * change type of systemd.service from simple to notify + +------------------------------------------------------------------- Old: ---- openfortivpn-1.17.1.tar.gz New: ---- openfortivpn-1.17.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openfortivpn.spec ++++++ --- /var/tmp/diff_new_pack.tJFPAa/_old 2022-04-01 21:38:14.120095797 +0200 +++ /var/tmp/diff_new_pack.tJFPAa/_new 2022-04-01 21:38:14.128095709 +0200 @@ -1,7 +1,7 @@ # # spec file for package openfortivpn # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: openfortivpn -Version: 1.17.1 +Version: 1.17.2 Release: 0 Summary: Client for PPP+SSL VPN tunnel services License: GPL-3.0-or-later ++++++ harden_openfortivpn@.service.patch ++++++ --- /var/tmp/diff_new_pack.tJFPAa/_old 2022-04-01 21:38:14.152095446 +0200 +++ /var/tmp/diff_new_pack.tJFPAa/_new 2022-04-01 21:38:14.152095446 +0200 @@ -1,10 +1,10 @@ -Index: openfortivpn-1.17.1/lib/systemd/system/openforti...@.service.in -=================================================================== ---- openfortivpn-1.17.1.orig/lib/systemd/system/openforti...@.service.in -+++ openfortivpn-1.17.1/lib/systemd/system/openforti...@.service.in +diff --git a/lib/systemd/system/openforti...@.service.in b/lib/systemd/system/openforti...@.service.in +index 154bf60..7336b8f 100644 +--- a/lib/systemd/system/openforti...@.service.in ++++ b/lib/systemd/system/openforti...@.service.in @@ -6,6 +6,17 @@ Documentation=man:openfortivpn(1) [Service] - Type=simple + Type=notify PrivateTmp=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++++++ openfortivpn-1.17.1.tar.gz -> openfortivpn-1.17.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/.github/workflows/codeql-analysis.yml new/openfortivpn-1.17.2/.github/workflows/codeql-analysis.yml --- old/openfortivpn-1.17.1/.github/workflows/codeql-analysis.yml 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/.github/workflows/codeql-analysis.yml 2022-03-31 08:30:13.000000000 +0200 @@ -41,6 +41,7 @@ - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: + queries: +security-extended languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/.github/workflows/openfortivpn.yml new/openfortivpn-1.17.2/.github/workflows/openfortivpn.yml --- old/openfortivpn-1.17.1/.github/workflows/openfortivpn.yml 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/.github/workflows/openfortivpn.yml 2022-03-31 08:30:13.000000000 +0200 @@ -41,7 +41,9 @@ uses: actions/checkout@v2 - name: Install Dependencies - run: ./tests/ci/install_openssl.sh $HOME/.openfortivpn-deps + run: | + sudo apt-get install -y pkg-config + ./tests/ci/install_openssl.sh $HOME/.openfortivpn-deps - name: Build run: | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/CHANGELOG.md new/openfortivpn-1.17.2/CHANGELOG.md --- old/openfortivpn-1.17.1/CHANGELOG.md 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/CHANGELOG.md 2022-03-31 08:30:13.000000000 +0200 @@ -14,6 +14,14 @@ This high level changelog is usually updated when a release is tagged. On the master branch there may be changes that are not (yet) described here. +### 1.17.2 + +* [-] fix memory leak when reading user input +* [-] improve calls to getsockopt() and associated debug output +* [+] allow reading config from process substitution +* [-] work around CodeQL false positives, improving code at the same time +* [~] change type of systemd.service from simple to notify + ### 1.17.1 * [-] fix regression: enable OpenSSL engines by default @@ -188,7 +196,7 @@ ### 1.6.0 -* [-] Fix possible buffer overflow in in long requests +* [-] Fix possible buffer overflow in long requests * [~] Code improvements in terms of header inclusion and some other coverity warnings * [+] Add proxy support * [~] Use the compiled-in fixed full path to pppd diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/LICENSE new/openfortivpn-1.17.2/LICENSE --- old/openfortivpn-1.17.1/LICENSE 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/LICENSE 2022-03-31 08:30:13.000000000 +0200 @@ -1,7 +1,7 @@ GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 - Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -645,7 +645,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. + along with this program. If not, see <https://www.gnu.org/licenses/>. Also add information on how to contact you by electronic and paper mail. @@ -664,14 +664,14 @@ You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see -<http://www.gnu.org/licenses/>. +<https://www.gnu.org/licenses/>. The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read -<http://www.gnu.org/philosophy/why-not-lgpl.html>. +<https://www.gnu.org/licenses/why-not-lgpl.html>. Exception diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/README.md new/openfortivpn-1.17.2/README.md --- old/openfortivpn-1.17.1/README.md 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/README.md 2022-03-31 08:30:13.000000000 +0200 @@ -32,10 +32,16 @@ openfortivpn vpn-gateway:8443 --username=foo --pinentry=pinentry-mac ``` +* Connect with a user certificate and no password: + ``` + openfortivpn vpn-gateway:8443 --username= --password= --user-cert=cert.pem --user-key=key.pem + ``` + * Don't set IP routes and don't add VPN nameservers to `/etc/resolv.conf`: ``` openfortivpn vpn-gateway:8443 -u foo --no-routes --no-dns --pppd-no-peerdns ``` + * Using a configuration file: ``` openfortivpn -c /etc/openfortivpn/my-config diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/configure.ac new/openfortivpn-1.17.2/configure.ac --- old/openfortivpn-1.17.1/configure.ac 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/configure.ac 2022-03-31 08:30:13.000000000 +0200 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.63]) -AC_INIT([openfortivpn], [1.17.1]) +AC_INIT([openfortivpn], [1.17.2]) AC_CONFIG_SRCDIR([src/main.c]) AM_INIT_AUTOMAKE([foreign subdir-objects]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/lib/systemd/system/openforti...@.service.in new/openfortivpn-1.17.2/lib/systemd/system/openforti...@.service.in --- old/openfortivpn-1.17.1/lib/systemd/system/openforti...@.service.in 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/lib/systemd/system/openforti...@.service.in 2022-03-31 08:30:13.000000000 +0200 @@ -4,7 +4,7 @@ Documentation=man:openfortivpn(1) [Service] -Type=simple +Type=notify PrivateTmp=true ExecStart=@BINDIR@/openfortivpn -c @SYSCONFDIR@/openfortivpn/%I.conf OOMScoreAdjust=-100 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/src/config.c new/openfortivpn-1.17.2/src/config.c --- old/openfortivpn-1.17.1/src/config.c 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/src/config.c 2022-03-31 08:30:13.000000000 +0200 @@ -183,7 +183,9 @@ int ret = ERR_CFG_UNKNOWN; FILE *file; struct stat stat; - char *buffer, *line, *saveptr = NULL; + char *line = NULL; + size_t len = 0; + ssize_t read; file = fopen(filename, "r"); if (file == NULL) @@ -193,31 +195,19 @@ ret = ERR_CFG_SEE_ERRNO; goto err_close; } - if (stat.st_size == 0) { - ret = ERR_CFG_EMPTY_FILE; - goto err_close; - } - - buffer = malloc(stat.st_size + 1); - if (buffer == NULL) { - ret = ERR_CFG_NO_MEM; - goto err_close; - } - - // Copy all file contents at once - if (fread(buffer, stat.st_size, 1, file) != 1) { - ret = ERR_CFG_CANNOT_READ; - goto err_free; - } - - buffer[stat.st_size] = '\0'; // Read line by line - for (line = strtok_r(buffer, "\n", &saveptr); line != NULL; - line = strtok_r(NULL, "\n", &saveptr)) { + while ((read = getline(&line, &len, file)) != -1) { char *key, *equals, *val; int i; + // Ignore blank lines. We could argue that the string must be at least + // 3 chars to be valid, eg. 'x=\n' but let the rest of the function + // logic handle that. NOTE: getline includes the '\n' in the string, + // which is removed later on. + if (read < 2) + continue; + if (line[0] == '#') continue; @@ -254,14 +244,14 @@ strncpy(cfg->gateway_host, val, GATEWAY_HOST_SIZE); cfg->gateway_host[GATEWAY_HOST_SIZE] = '\0'; } else if (strcmp(key, "port") == 0) { - unsigned long port = strtoul(val, NULL, 0); + long port = strtol(val, NULL, 0); - if (port == 0 || port > 65535) { - log_warn("Bad port in configuration file: \"%lu\".\n", + if (port < 1 || port > 65535) { + log_warn("Bad port in configuration file: \"%ld\".\n", port); continue; } - cfg->gateway_port = port; + cfg->gateway_port = (uint16_t)port; } else if (strcmp(key, "username") == 0) { strncpy(cfg->username, val, USERNAME_SIZE); cfg->username[USERNAME_SIZE] = '\0'; @@ -460,18 +450,24 @@ cfg->check_virtual_desktop = strdup(val); } else { log_warn("Bad key in configuration file: \"%s\".\n", key); - goto err_free; + goto err_close; } } - ret = 0; + if (errno != 0) // From getline + ret = ERR_CFG_SEE_ERRNO; + else + ret = 0; -err_free: - free(buffer); err_close: - if (fclose(file)) + if (fclose(file)) { log_warn("Could not close %s (%s).\n", filename, strerror(errno)); - + if (ret == ERR_CFG_SEE_ERRNO) { + // fclose just ruined the errno, so don't rely on it anymore. + ret = ERR_CFG_UNKNOWN; + } + } + free(line); return ret; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/src/io.c new/openfortivpn-1.17.2/src/io.c --- old/openfortivpn-1.17.1/src/io.c 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/src/io.c 2022-03-31 08:30:13.000000000 +0200 @@ -647,7 +647,7 @@ */ if (setsockopt(tunnel->ssl_socket, IPPROTO_TCP, TCP_NODELAY, (const char *) &tcp_nodelay_flag, sizeof(int))) { - log_error("setsockopt: %s\n", strerror(errno)); + log_error("setsockopt TCP_NODELAY: %s\n", strerror(errno)); goto err_sockopt; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/src/ipv4.c new/openfortivpn-1.17.2/src/ipv4.c --- old/openfortivpn-1.17.1/src/ipv4.c 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/src/ipv4.c 2022-03-31 08:30:13.000000000 +0200 @@ -33,6 +33,7 @@ #include <stdlib.h> #include <stdint.h> #include <string.h> +#include <assert.h> #define IPV4_GET_ROUTE_BUFFER_CHUNK_SIZE 65536 #define SHOW_ROUTE_BUFFER_SIZE 128 @@ -835,7 +836,7 @@ char *gateway) { struct rtentry *route; - char env_var[24]; + char env_var[24]; // strlen("VPN_ROUTE_GATEWAY_") + strlen("65535") + 1 #if HAVE_USR_SBIN_PPPD add_text_route(tunnel, dest, mask, gateway); @@ -853,13 +854,14 @@ tunnel->ipv4.split_rt = new_ptr; } + assert(tunnel->ipv4.split_routes >= 0 && + tunnel->ipv4.split_routes < MAX_SPLIT_ROUTES); sprintf(env_var, "VPN_ROUTE_DEST_%d", tunnel->ipv4.split_routes); setenv(env_var, dest, 0); sprintf(env_var, "VPN_ROUTE_MASK_%d", tunnel->ipv4.split_routes); setenv(env_var, mask, 0); if (gateway != NULL) { - sprintf(env_var, "VPN_ROUTE_GATEWAY_%d", - tunnel->ipv4.split_routes); + sprintf(env_var, "VPN_ROUTE_GATEWAY_%d", tunnel->ipv4.split_routes); setenv(env_var, gateway, 0); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/src/main.c new/openfortivpn-1.17.2/src/main.c --- old/openfortivpn-1.17.1/src/main.c 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/src/main.c 2022-03-31 08:30:13.000000000 +0200 @@ -591,13 +591,16 @@ host = argv[optind++]; port_str = strchr(host, ':'); if (port_str != NULL) { + long port; + port_str[0] = '\0'; port_str++; - cfg.gateway_port = strtol(port_str, NULL, 0); - if (cfg.gateway_port == 0 || cfg.gateway_port > 65535) { + port = strtol(port_str, NULL, 0); + if (port < 1 || port > 65535) { log_error("Specify a valid port.\n"); goto user_error; } + cfg.gateway_port = (uint16_t)port; } strncpy(cfg.gateway_host, host, GATEWAY_HOST_SIZE); cfg.gateway_host[GATEWAY_HOST_SIZE] = '\0'; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/src/tunnel.c new/openfortivpn-1.17.2/src/tunnel.c --- old/openfortivpn-1.17.1/src/tunnel.c 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/src/tunnel.c 2022-03-31 08:30:13.000000000 +0200 @@ -56,6 +56,7 @@ #endif #include <sys/types.h> #include <sys/socket.h> +#include <netinet/tcp.h> #include <sys/wait.h> #include <sys/ioctl.h> #include <termios.h> @@ -566,13 +567,12 @@ return 0; } -static int tcp_getsockopt(int sockfd, int optname) +static int get_socket_option(int sockfd, int level, int optname) { int optval; socklen_t optlen = sizeof(optval); - if (getsockopt(sockfd, IPPROTO_TCP, optname, - (void *)&optval, &optlen)) + if (getsockopt(sockfd, level, optname, &optval, &optlen) < 0) return -1; assert(optlen == sizeof(optval)); return optval; @@ -599,42 +599,42 @@ * Attempt to find default TCP socket options on different platforms. */ #ifdef SO_KEEPALIVE - ret = tcp_getsockopt(handle, SO_KEEPALIVE); + ret = get_socket_option(handle, SOL_SOCKET, SO_KEEPALIVE); if (ret < 0) log_warn("getsockopt: %s: %s\n", "SO_KEEPALIVE", strerror(errno)); else - log_debug("SO_KEEPALIVE: %d\n", ret); + log_debug("SO_KEEPALIVE: %s\n", (ret ? "ON" : "OFF")); #endif #ifdef TCP_KEEPIDLE - ret = tcp_getsockopt(handle, TCP_KEEPIDLE); + ret = get_socket_option(handle, IPPROTO_TCP, TCP_KEEPIDLE); if (ret < 0) log_warn("getsockopt: %s: %s\n", "TCP_KEEPIDLE", strerror(errno)); else log_debug("TCP_KEEPIDLE: %d\n", ret); #endif #ifdef TCP_KEEPALIVE - ret = tcp_getsockopt(handle, TCP_KEEPALIVE); + ret = get_socket_option(handle, IPPROTO_TCP, TCP_KEEPALIVE); if (ret < 0) log_warn("getsockopt: %s: %s\n", "TCP_KEEPALIVE", strerror(errno)); else log_debug("TCP_KEEPALIVE: %d\n", ret); #endif #ifdef TCP_KEEPINTVL - ret = tcp_getsockopt(handle, TCP_KEEPINTVL); + ret = get_socket_option(handle, IPPROTO_TCP, TCP_KEEPINTVL); if (ret < 0) log_warn("getsockopt: %s: %s\n", "TCP_KEEPINTVL", strerror(errno)); else log_debug("TCP_KEEPINTVL: %d\n", ret); #endif #ifdef TCP_KEEPCNT - ret = tcp_getsockopt(handle, TCP_KEEPCNT); + ret = get_socket_option(handle, IPPROTO_TCP, TCP_KEEPCNT); if (ret < 0) log_warn("getsockopt: %s: %s\n", "TCP_KEEPCNT", strerror(errno)); else log_debug("TCP_KEEPCNT: %d\n", ret); #endif #ifdef SO_SNDBUF - ret = tcp_getsockopt(handle, SO_SNDBUF); + ret = get_socket_option(handle, SOL_SOCKET, SO_SNDBUF); if (ret < 0) #ifndef __APPLE__ log_warn("getsockopt: %s: %s\n", "SO_SNDBUF", strerror(errno)); @@ -643,7 +643,7 @@ log_debug("SO_SNDBUF: %d\n", ret); #endif #ifdef SO_RCVBUF - ret = tcp_getsockopt(handle, SO_RCVBUF); + ret = get_socket_option(handle, SOL_SOCKET, SO_RCVBUF); if (ret < 0) #ifndef __APPLE__ log_warn("getsockopt: %s: %s\n", "SO_RCVBUF", strerror(errno)); @@ -1055,7 +1055,7 @@ cipher_list = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; tunnel->config->cipher_list = strdup(cipher_list); } else if (tunnel->config->seclevel_1) { - const char *cipher_list = "DEFAULT@SECLEVEL=1"; + static const char cipher_list[] = "DEFAULT@SECLEVEL=1"; tunnel->config->cipher_list = strdup(cipher_list); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.17.1/src/userinput.c new/openfortivpn-1.17.2/src/userinput.c --- old/openfortivpn-1.17.1/src/userinput.c 2021-09-08 10:25:03.000000000 +0200 +++ new/openfortivpn-1.17.2/src/userinput.c 2022-03-31 08:30:13.000000000 +0200 @@ -106,12 +106,16 @@ do { if (bufsiz - len < 64) { bufsiz += 64; - buf = realloc(buf, bufsiz); - if (buf == NULL) { + char *tmp = realloc(buf, bufsiz); + + // bail out if realloc fails + if (tmp == NULL) { if (retstr) *retstr = strdup(strerror(errno)); + free(buf); return -1; } + buf = tmp; buf[bufsiz-1] = '\0'; }
