<<< Date Index >>>     <<< Thread Index >>>

Re: OpenVPN[v2.0.x]: foreign_option() formart string vulnerability.



ah, that would be what i did when testing("client"), sorry for the
false/confusion with that... anyways, great software i use it for my vpn
needs...nicely documented and easy to use--thanks for its existence.

> Vade79,
>
> Thanks for your efforts in finding this!  I've just released OpenVPN 2.0.4
> with a fix.
>
> The patch is here:
>
> http://openvpn.net/patch/2.0.4-security-patches/foreign_option.patch
>
> While this patch fixes the format string vulnerability, you made another
> claim as well which I believe to be false:
>
> > however, when testing i did NOT have to have the "pull" option in my 
> > clients config
> > file to allow the "push"ed dhcp-option request as it states above.
>
> You didn't post your test configuration file, but I suspect that you were
> using "client" which is a macro that expands to "pull" and "tls-client".
>
> Take a look at this line in push.c:
>
> if (honor_received_options && buf_string_compare_advance (&buf, "PUSH_REPLY"))
>
> This conditional decides whether or not to process a received PUSH_REPLY
> message.  honor_received_options will be false unless "pull" or "client"
> is specified.
>
> James
>
>