Date: Wed, 05 Apr 2006 12:25:20 +0200 From: Matthias Andree <matthias.andree@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: secteam@FreeBSD.org Subject: ports/95343: [PATCH] security/vuxml: Add new 2.0 <= OpenVPN < 2.0.6 LD_PRELOAD vuln Message-ID: <E1FR5CS-0003Y3-PB@libertas.emma.line.org> Resent-Message-ID: <200604051030.k35AUG43010072@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 95343 >Category: ports >Synopsis: [PATCH] security/vuxml: Add new 2.0 <= OpenVPN < 2.0.6 LD_PRELOAD vuln >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Apr 05 10:30:15 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 6.1-PRERELEASE i386 >Organization: >Environment: System: FreeBSD libertas.emma.line.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #19: Sat Apr 1 13:04:50 CEST >Description: New entry for openvpn -- LD_PRELOAD code execution on client through malicious or compromised server. (I don't have the CVE id yet, will add once I get to know it.) Port maintainer (secteam@FreeBSD.org) is cc'd. Generated with FreeBSD Port Tools 0.63 >How-To-Repeat: >Fix: --- vuxml-1.1_1.patch begins here --- diff -ruN --exclude=CVS /usr/ports/security/vuxml/vuln.xml /usr/home/emma/ports/security/vuxml/vuln.xml --- /usr/ports/security/vuxml/vuln.xml Wed Apr 5 06:33:24 2006 +++ /usr/home/emma/ports/security/vuxml/vuln.xml Wed Apr 5 12:21:23 2006 @@ -34,6 +34,40 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="be4ccb7b-c48b-11da-ae12-0002b3b60e4c"> + <topic>openvpn -- LD_PRELOAD code execution on client through malicious or compromised server</topic> + <affects> + <package> + <name>openvpn</name> + <range><ge>2.0</ge><lt>2.0.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Hendrik Weimer reports:</p> + <blockquote cite="http://www.osreviews.net/reviews/security/openvpn-print">; + <p>OpenVPN clients are a bit too generous when accepting + configuration options from a server. It is possible to transmit + environment variables to client-side shell scripts. There are some + filters in place to prevent obvious nonsense, however they don't + catch the good old LD_PRELOAD trick. All we need is to put a file + onto the client under a known location (e.g. by returning a + specially crafted document upon web access) and we have a remote + root exploit. But since the attack may only come from authenticated + servers, this threat is greatly reduced.</p> + </blockquote> + </body> + </description> + <references> + <url>http://openvpn.net/changelog.html</url>; + <mlist msgid="4431F7C4.4030804@yonan.net">http://sourceforge.net/mailarchive/message.php?msg_id=15298074</mlist>; + </references> + <dates> + <discovery>2006-04-03</discovery> + <entry>2006-04-05</entry> + </dates> + </vuln> + <vuln vid="92fd40eb-c458-11da-9c79-00123ffe8333"> <topic>samba -- Exposure of machine account credentials in winbind log files</topic> <affects> --- vuxml-1.1_1.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1FR5CS-0003Y3-PB>