Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 128888

Summary: net-misc/openvpn: server can push env vars to clients, including LD_PRELOAD
Product: Gentoo Security Reporter: Roy Marples (RETIRED) <uberlord>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
URL: http://openvpn.net/changelog.html
Whiteboard: C4 [noglsa] DerCorny
Package list:
Runtime testing required: ---

Description Roy Marples (RETIRED) gentoo-dev 2006-04-05 03:22:37 UTC 
Security Vulnerability affecting OpenVPN 2.0 through 2.0.5.
  An OpenVPN client connecting to a
  malicious or compromised server could potentially receive
  "setenv" configuration directives from the server which could
  cause arbitrary code execution on the client via a LD_PRELOAD
  attack.  A successful attack appears to require that (a) the
  client has agreed to allow the server to push configuration
  directives to it by including "pull" or the macro "client" in
  its configuration file, (b) the client configuration file uses
  a scripting directive such as "up" or "down", (c) the client
  succesfully authenticates the server, (d) the server is
  malicious or has been compromised and is under the control of
  the attacker, and (e) the attacker has at least some level of
  pre-existing control over files on the client (this might be
  accomplished by having the server respond to a client web
  request with a specially crafted file).
  The fix is to disallow "setenv" to be pushed to clients from
  the server.  For those who need this capability, OpenVPN
  2.1 supports a new "setenv-safe" directive which is free
  of this vulnerability.

2.0.6 is in the tree and works from a brief test. We don't ship any default configs, so we don't suffer from this by default.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-05 09:32:38 UTC 
arches please test and mark 2.0.6 stable, thank you.
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-05 11:35:23 UTC 
ppc stable
Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev 2006-04-05 12:07:43 UTC 
sparc stable.
Comment 4 Patrick McLean gentoo-dev 2006-04-05 13:35:41 UTC 
stable on amd64
Comment 5 Andrej Kacian (RETIRED) gentoo-dev 2006-04-05 14:11:42 UTC 
x86 happy!
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2006-04-07 09:05:39 UTC 
stable on hppa
Comment 7 Bryan Østergaard (RETIRED) gentoo-dev 2006-04-08 10:05:39 UTC 
Alpha stable.
Comment 8 Fabian Groffen gentoo-dev 2006-04-09 01:52:44 UTC 
ppc-macos stable
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-09 03:41:56 UTC 
Thx everyone. Closing with NO GLSA (C4).