Bugtraq mailing list archives
Re: OpenVPN[v2.0.x]: foreign_option() formart string vulnerability.
From: v9 <v9 () fakehalo us>
Date: Fri, 4 Nov 2005 15:46:45 -0500 (EST)
ah, that would be what i did when testing("client"), sorry for the false/confusion with that... anyways, great software i use it for my vpn needs...nicely documented and easy to use--thanks for its existence.
Vade79, Thanks for your efforts in finding this! I've just released OpenVPN 2.0.4 with a fix. The patch is here: http://openvpn.net/patch/2.0.4-security-patches/foreign_option.patch While this patch fixes the format string vulnerability, you made another claim as well which I believe to be false:however, when testing i did NOT have to have the "pull" option in my clients config file to allow the "push"ed dhcp-option request as it states above.You didn't post your test configuration file, but I suspect that you were using "client" which is a macro that expands to "pull" and "tls-client". Take a look at this line in push.c: if (honor_received_options && buf_string_compare_advance (&buf, "PUSH_REPLY")) This conditional decides whether or not to process a received PUSH_REPLY message. honor_received_options will be false unless "pull" or "client" is specified. James
Current thread:
- Re: OpenVPN[v2.0.x]: foreign_option() formart string vulnerability. v9 (Nov 05)