From 09a7f41f319be5520ea4e1ce568a56e37e9ff125 Mon Sep 17 00:00:00 2001 From: Lubomir Rintel Date: Wed, 25 Sep 2024 16:32:14 +0200 Subject: [PATCH] Update to 1.2.24 release Fix improper escaping of Libreswan configuration (CVE-2024-9050) Resolves: RHEL-59759 --- .gitignore | 1 + ...tuff_changed_cb-from-populate_widget.patch | 81 -------- ...erties-add-require-id-on-certificate.patch | 182 ------------------ NetworkManager-libreswan.spec | 10 +- sources | 2 +- 5 files changed, 8 insertions(+), 268 deletions(-) delete mode 100644 1001-editor-connect-stuff_changed_cb-from-populate_widget.patch delete mode 100644 1002-properties-add-require-id-on-certificate.patch diff --git a/.gitignore b/.gitignore index 4d7f023..8dbbb2a 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ NetworkManager-openswan-0.8.tar.gz /NetworkManager-libreswan-1.2.18.tar.xz /NetworkManager-libreswan-1.2.20.tar.xz /NetworkManager-libreswan-1.2.22.tar.xz +/NetworkManager-libreswan-1.2.24.tar.xz diff --git a/1001-editor-connect-stuff_changed_cb-from-populate_widget.patch b/1001-editor-connect-stuff_changed_cb-from-populate_widget.patch deleted file mode 100644 index 4bdd793..0000000 --- a/1001-editor-connect-stuff_changed_cb-from-populate_widget.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 4957f0123c109df05885b2c85bfabc8f7311fe62 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= -Date: Mon, 9 Sep 2024 12:25:58 +0200 -Subject: [PATCH] editor: connect stuff_changed_cb from populate_widget - -There is no need to do it in 2 different steps, we always have to -connect it after creating the widget. Let's do it all together so no -developer forgets. ---- - properties/nm-libreswan-editor.c | 47 -------------------------------- - 1 file changed, 47 deletions(-) - -diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c -index b03d2fe..5687dc7 100644 ---- a/properties/nm-libreswan-editor.c -+++ b/properties/nm-libreswan-editor.c -@@ -351,27 +351,6 @@ populate_widget (LibreswanEditor *self, - } - gtk_combo_box_set_active (GTK_COMBO_BOX (widget), idx); - } --} -- -- --/* Init the widget on the basis of its actual type. -- * widget_name: the name of the widget -- * key_name: the name of the key where the config value is stored -- * alt_key_name:alternative name of the key -- * match_value: used only for toggle_button and combo_box widgets; when matched -- * in the former it will set the toggle button as active, in the latter -- * will be used as a match for enabling the third index of possible values -- * (a three-valued logic value is expected: "no", "yes" or "match_value"). -- */ --static void --hook_stuff_changed_cb (LibreswanEditor *self, -- const char *widget_name) --{ -- LibreswanEditorPrivate *priv = LIBRESWAN_EDITOR_GET_PRIVATE (self); -- GtkWidget *widget; -- -- widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, widget_name)); -- g_return_if_fail (widget); - - g_signal_connect (G_OBJECT (widget), - GTK_IS_CHECK_BUTTON (widget) ? "toggled" : "changed", -@@ -471,33 +450,7 @@ init_editor_plugin (LibreswanEditor *self, - populate_widget (self, "group_entry", NM_LIBRESWAN_KEY_LEFTID, NULL, NULL); - populate_widget (self, "cert_entry", NM_LIBRESWAN_KEY_LEFTCERT, NULL, NULL); - populate_widget (self, "remoteid_entry", NM_LIBRESWAN_KEY_RIGHTID, NULL, NULL); -- hook_stuff_changed_cb (self, "gateway_entry"); -- hook_stuff_changed_cb (self, "user_entry"); -- hook_stuff_changed_cb (self, "group_entry"); -- hook_stuff_changed_cb (self, "cert_entry"); -- hook_stuff_changed_cb (self, "remoteid_entry"); -- -- /* Advanced Dialog */ - populate_adv_dialog (self); -- hook_stuff_changed_cb (self, "domain_entry"); -- hook_stuff_changed_cb (self, "phase1_entry"); -- hook_stuff_changed_cb (self, "phase2_entry"); -- hook_stuff_changed_cb (self, "phase1_lifetime_entry"); -- hook_stuff_changed_cb (self, "phase2_lifetime_entry"); -- hook_stuff_changed_cb (self, "rekey_checkbutton"); -- hook_stuff_changed_cb (self, "pfs_checkbutton"); -- hook_stuff_changed_cb (self, "local_network_entry"); -- hook_stuff_changed_cb (self, "remote_network_entry"); -- hook_stuff_changed_cb (self, "narrowing_checkbutton"); -- hook_stuff_changed_cb (self, "fragmentation_combo"); -- hook_stuff_changed_cb (self, "mobike_combo"); -- hook_stuff_changed_cb (self, "dpd_delay_entry"); -- hook_stuff_changed_cb (self, "dpd_timeout_entry"); -- hook_stuff_changed_cb (self, "dpd_action_combo"); -- hook_stuff_changed_cb (self, "ipsec_interface_entry"); -- hook_stuff_changed_cb (self, "authby_entry"); -- hook_stuff_changed_cb (self, "disable_modecfgclient_checkbutton"); -- hook_stuff_changed_cb (self, "remote_cert_entry"); - - priv->advanced_dialog = GTK_WIDGET (gtk_builder_get_object (priv->builder, "libreswan-advanced-dialog")); - g_return_val_if_fail (priv->advanced_dialog != NULL, FALSE); --- -2.44.0 - diff --git a/1002-properties-add-require-id-on-certificate.patch b/1002-properties-add-require-id-on-certificate.patch deleted file mode 100644 index 7c33e5a..0000000 --- a/1002-properties-add-require-id-on-certificate.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= -Date: Mon, 9 Sep 2024 11:47:57 +0200 -Subject: [PATCH] properties: add require-id-on-certificate - -From `man ipsec.conf`: - -require-id-on-certificate: - When using certificates, check whether the IKE peer ID is present as - a subjectAltName (SAN) on the peer certificate. Accepted values are - yes (the default) or no. This check should only be disabled when - intentionally using certificates that do not have their peer ID specified - as a SAN on the certificate. These certificates violate RFC 4945 Section - 3.1 and are normally rejected to prevent a compromised host from assuming - the IKE identity of another host. The SAN limits the IDs that the - peer is able to assume. ---- - properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++ - properties/nm-libreswan-editor-plugin.c | 2 ++ - properties/nm-libreswan-editor.c | 9 +++++++++ - shared/nm-service-defines.h | 1 + - shared/utils.c | 5 +++++ - src/nm-libreswan-service.c | 1 + - 6 files changed, 44 insertions(+) - -diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui -index b682895..17a7171 100644 ---- a/properties/nm-libreswan-dialog.ui -+++ b/properties/nm-libreswan-dialog.ui -@@ -1222,6 +1222,32 @@ config: authby <value> - 0 - - -+ -+ -+ True -+ False -+ Don't require remote certificate name -+ True -+ require_id_on_certificate_checkbutton -+ 1 -+ -+ -+ 0 -+ 1 -+ -+ -+ -+ -+ True -+ True -+ False -+ True -+ -+ -+ 1 -+ 1 -+ -+ - - - -diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c -index fe473d1..7aa528e 100644 ---- a/properties/nm-libreswan-editor-plugin.c -+++ b/properties/nm-libreswan-editor-plugin.c -@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self, - nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily=")); - else if (g_str_has_prefix (str, "clientaddrfamily=")) - nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily=")); -+ else if (g_str_has_prefix (str, "require-id-on-certificate=")) -+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate=")); - else if (g_str_has_prefix (str, "rightsubnet=")) { - if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0")) - nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]); -diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c -index 5687dc7..b350819 100644 ---- a/properties/nm-libreswan-editor.c -+++ b/properties/nm-libreswan-editor.c -@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self) - populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL); - populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no"); - populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL); -+ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no"); - } - - static gboolean -@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn) - nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str); - else - nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT); -+ -+ /* Disable Require ID on certificate */ -+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton")); -+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))) -+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no"); -+ else -+ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE); -+ - } - - static gboolean -diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h -index 167b837..5f523bd 100644 ---- a/shared/nm-service-defines.h -+++ b/shared/nm-service-defines.h -@@ -73,6 +73,7 @@ - #define NM_LIBRESWAN_KEY_TYPE "type" - #define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily" - #define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily" -+#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate" - - #define NM_LIBRESWAN_IKEV2_NO "no" - #define NM_LIBRESWAN_IKEV2_NEVER "never" -diff --git a/shared/utils.c b/shared/utils.c -index 65bc603..9394099 100644 ---- a/shared/utils.c -+++ b/shared/utils.c -@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd, - const char *mobike; - const char *pfs; - const char *client_family; -+ const char *require_id_on_certificate; - const char *item; - gboolean is_ikev2 = FALSE; - -@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd, - if (client_family && strlen (client_family)) - WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family); - -+ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE); -+ if (require_id_on_certificate && strlen (require_id_on_certificate)) -+ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate); -+ - leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY); - rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY); - leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT); -diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c -index e5956af..984e991 100644 ---- a/src/nm-libreswan-service.c -+++ b/src/nm-libreswan-service.c -@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = { - { NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 }, - { NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 }, - { NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 }, -+ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 }, - /* Ignored option for internal use */ - { NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 }, - { NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 }, ---- a/gtk4/nm-libreswan-dialog.ui -+++ b/gtk4/nm-libreswan-dialog.ui -@@ -979,6 +979,27 @@ - - - -+ -+ -+ Don't require remote certificate name -+ 1 -+ require_id_on_certificate_checkbutton -+ 1 -+ -+ 0 -+ 1 -+ -+ -+ -+ -+ -+ 1 -+ -+ 1 -+ 1 -+ -+ -+ - - - --- -2.44.0 - diff --git a/NetworkManager-libreswan.spec b/NetworkManager-libreswan.spec index d1c2d22..59b7dfd 100644 --- a/NetworkManager-libreswan.spec +++ b/NetworkManager-libreswan.spec @@ -14,8 +14,8 @@ Summary: NetworkManager VPN plug-in for IPsec VPN Name: NetworkManager-libreswan -Version: 1.2.22 -Release: 3%{?dist} +Version: 1.2.24 +Release: 1%{?dist} License: GPL-2.0-or-later URL: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan Source0: https://download.gnome.org/sources/NetworkManager-libreswan/1.2/%{name}-%{version}.tar.xz @@ -26,8 +26,6 @@ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/1.2/%{nam # Bugfixes that are only relevant until next rebase of the package. # Patch1001: 1001-some.patch -Patch1001: 1001-editor-connect-stuff_changed_cb-from-populate_widget.patch -Patch1002: 1002-properties-add-require-id-on-certificate.patch BuildRequires: make BuildRequires: gcc @@ -132,6 +130,10 @@ mv %{buildroot}%{_sysconfdir}/dbus-1 %{buildroot}%{_datadir}/ %changelog +* Tue Oct 22 2024 Lubomir Rintel - 1.2.24-1 +- Update to 1.2.24 release +- Fix improper escaping of Libreswan configuration (CVE-2024-9050) + * Thu Sep 12 2024 Íñigo Huguet - 1.2.22-3 - Support require-id-on-certificate (RHEL-58812) diff --git a/sources b/sources index 2070610..1c72c96 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (NetworkManager-libreswan-1.2.22.tar.xz) = 80885a276344ab512fb7b3d4b9932525787006781f3c8e0ab93343b78172f1d971c7753df53f21db8f45ea873469d80fc1e12f8d56d6e05d31a536069ff46e16 +SHA512 (NetworkManager-libreswan-1.2.24.tar.xz) = 8b7c8d7736b3ffcb27d6e28c9073f0cad5098decc41342643dd7392c361a7d2664bdac17ca895b14c9b224d330637d4f5d095f242b06e3d312b00803993c6e5c