diff options
| author | mnag <mnag@FreeBSD.org> | 2006-04-05 22:57:46 +0800 |
|---|---|---|
| committer | mnag <mnag@FreeBSD.org> | 2006-04-05 22:57:46 +0800 |
| commit | a6dcfd24e73dc223159990cdc1ce24cfea59c202 (patch) | |
| tree | 70a49065dfeb3ba386cefddfd814a42554f73d1c /security | |
| parent | ea1b4212eb60d8fe7bb04d69e9c57015968a7d7d (diff) | |
| download | freebsd-ports-gnome-a6dcfd24e73dc223159990cdc1ce24cfea59c202.tar.gz freebsd-ports-gnome-a6dcfd24e73dc223159990cdc1ce24cfea59c202.tar.zst freebsd-ports-gnome-a6dcfd24e73dc223159990cdc1ce24cfea59c202.zip | |
openvpn -- LD_PRELOAD code execution on client through malicious or compromised server
PR: 95343
Submitted by: Matthias Andree <matthias.andree__gmx.de>
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 57b3267dcaae..eb518c47b9ca 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,41 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="be4ccb7b-c48b-11da-ae12-0002b3b60e4c"> + <topic>openvpn -- LD_PRELOAD code execution on client through malicious or compromised server</topic> + <affects> + <package> + <name>openvpn</name> + <range><ge>2.0</ge><lt>2.0.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Hendrik Weimer reports:</p> + <blockquote cite="http://www.osreviews.net/reviews/security/openvpn-print"> + <p>OpenVPN clients are a bit too generous when accepting + configuration options from a server. It is possible to transmit + environment variables to client-side shell scripts. There are some + filters in place to prevent obvious nonsense, however they don't + catch the good old LD_PRELOAD trick. All we need is to put a file + onto the client under a known location (e.g. by returning a + specially crafted document upon web access) and we have a remote + root exploit. But since the attack may only come from authenticated + servers, this threat is greatly reduced.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.osreviews.net/reviews/security/openvpn-print</url> + <url>http://openvpn.net/changelog.html</url> + <mlist msgid="4431F7C4.4030804@yonan.net">http://sourceforge.net/mailarchive/message.php?msg_id=15298074</mlist> + </references> + <dates> + <discovery>2006-04-03</discovery> + <entry>2006-04-05</entry> + </dates> + </vuln> + <vuln vid="92fd40eb-c458-11da-9c79-00123ffe8333"> <topic>samba -- Exposure of machine account credentials in winbind log files</topic> <affects> |