[LEDE-DEV] [PATCH] openvpn: update to 2.4.4

Magnus Kroken mkroken at gmail.com
Wed Sep 27 10:45:32 PDT 2017


Fixes CVE-2017-12166: out of bounds write in key-method 1.

Remove the mirror that was temporarily added during the
2.4.3 release.

Signed-off-by: Magnus Kroken <mkroken at gmail.com>
---
Compile-tested all variants on powerpc, runtime-tested mbedTLS variant as server.

 package/network/services/openvpn/Makefile          |  9 ++-
 .../210-build_always_use_internal_lz4.patch        | 83 ++++++++++++++--------
 2 files changed, 58 insertions(+), 34 deletions(-)

diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index a1aa196fad..9d8f047613 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,15 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.3
-PKG_RELEASE:=2
+PKG_VERSION:=2.4.4
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
-	https://swupdate.openvpn.net/community/releases/ \
-	http://www.eurephia.net/openvpn/
+	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571
+PKG_HASH:=96cd1b8fe1e8cb2920f07c3fd3985faea756e16fdeebd11d3e146d5bd2b04a80
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_MAINTAINER:=Felix Fietkau <nbd at nbd.name>
diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
index b0fe00df9b..d49e0bf9ec 100644
--- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
+++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
@@ -1,43 +1,68 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1076,37 +1076,14 @@ dnl
+@@ -1068,62 +1068,15 @@ dnl
  AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
  AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
  if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
--    AC_CHECKING([for LZ4 Library and Header files])
--    havelz4lib=1
- 
+-    if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then
+-	# if the user did not explicitly specify flags, try to autodetect
+-	PKG_CHECK_MODULES([LZ4],
+-			  [liblz4 >= 1.7.1],
+-			  [have_lz4="yes"],
+-			  [] # If this fails, we will do another test next
+-	)
+-    fi
+
+     saved_CFLAGS="${CFLAGS}"
+     saved_LIBS="${LIBS}"
+     CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
+     LIBS="${LIBS} ${LZ4_LIBS}"
+
+-    # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars
+-    # are used, check the version directly in the LZ4 include file
+-    if test "${have_lz4}" != "yes"; then
+-	AC_CHECK_HEADERS([lz4.h],
+-			 [have_lz4h="yes"],
+-			 [])
+-
+-	if test "${have_lz4h}" = "yes" ; then
+-	    AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1])
+-	    AC_COMPILE_IFELSE(
+-		[AC_LANG_PROGRAM([[
+-#include <lz4.h>
+-				 ]],
+-				 [[
+-/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */
+-#if LZ4_VERSION_NUMBER < 10701L
+-#error LZ4 is too old
+-#endif
+-				 ]]
+-				)],
+-		[
+-		    AC_MSG_RESULT([ok])
+-		    have_lz4="yes"
+-		],
+-		[AC_MSG_RESULT([system LZ4 library is too old])]
+-	    )
+-	fi
+-    fi
+-
 -    # if LZ4_LIBS is set, we assume it will work, otherwise test
 -    if test -z "${LZ4_LIBS}"; then
--	AC_CHECK_LIB(lz4, LZ4_compress,
--	    [ LZ4_LIBS="-llz4" ],
--	    [
--	        AC_MSG_RESULT([LZ4 library not found.])
--	        havelz4lib=0
--	    ])
+-	AC_CHECK_LIB([lz4],
+-		     [LZ4_compress],
+-		     [LZ4_LIBS="-llz4"],
+-		     [have_lz4="no"])
 -    fi
-+    AC_MSG_RESULT([Using LZ4 library in src/compat/compat-lz4.*])
-+    AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
-+    LZ4_LIBS=""
- 
--    saved_CFLAGS="${CFLAGS}"
--    CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
--    AC_CHECK_HEADERS(lz4.h,
--       ,
--       [
--	   AC_MSG_RESULT([LZ4 headers not found.])
--	   havelz4lib=0
--       ])
 -
--    if test $havelz4lib = 0 ; then
--	AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*])
+-    if test "${have_lz4}" != "yes" ; then
+-	AC_MSG_RESULT([		usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
 -	AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
 -	LZ4_LIBS=""
 -    fi
++    AC_MSG_RESULT([		usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
++    AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
++    LZ4_LIBS=""
      OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
      OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
-     AC_DEFINE(ENABLE_LZ4, 1, [Enable LZ4 compression library])
--    CFLAGS="${saved_CFLAGS}"
- fi
- 
- 
+     AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])
-- 
2.11.0




More information about the Lede-dev mailing list