Debian Bug report logs - #360559
Remote root exploit against connected clients

version graph

Package: openvpn; Maintainer for openvpn is Alberto Gonzalez Iniesta <agi@inittab.org>; Source for openvpn is src:openvpn.

Reported by: Hendrik Weimer <hendrik@enyo.de>

Date: Mon, 3 Apr 2006 08:48:02 UTC

Severity: important

Tags: security

Found in versions openvpn/2.0.5-1, openvpn/2.0-1sarge2

Fixed in version openvpn/2.0.6-1

Done: Alberto Gonzalez Iniesta <agi@inittab.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#360559; Package openvpn. Full text and rfc822 format available.

Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>:
New Bug report received and forwarded. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Hendrik Weimer <hendrik@enyo.de>
To: submit@bugs.debian.org
Cc: info@openvpn.net
Subject: Remote root exploit against connected clients
Date: Mon, 03 Apr 2006 10:43:07 +0200
Package: openvpn
Version: 2.0.5-1
Severity: important
Tags: security

As described in http://www.osreviews.net/reviews/security/openvpn
OpenVPN contains a security hole that allows a malicious VPN server to
take over connected clients.

OpenVPN allows to push environment variables to a client via 'push
setenv ...'. Using LD_PRELOAD it is possible to run arbitrary code as
root. The only prerequisite is that the attacker needs to control a
file on the victim's computer, e.g. by returning a specially crafted
document upon web access.

A possible solution would be to prefix all pushed environment
variables with something like 'OPENVPN_'.



Reply sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Hendrik Weimer <hendrik@enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 360559-close@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: 360559-close@bugs.debian.org
Subject: Bug#360559: fixed in openvpn 2.0.6-1
Date: Wed, 05 Apr 2006 03:32:04 -0700
Source: openvpn
Source-Version: 2.0.6-1

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive:

openvpn_2.0.6-1.diff.gz
  to pool/main/o/openvpn/openvpn_2.0.6-1.diff.gz
openvpn_2.0.6-1.dsc
  to pool/main/o/openvpn/openvpn_2.0.6-1.dsc
openvpn_2.0.6-1_i386.deb
  to pool/main/o/openvpn/openvpn_2.0.6-1_i386.deb
openvpn_2.0.6.orig.tar.gz
  to pool/main/o/openvpn/openvpn_2.0.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 360559@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  5 Apr 2006 12:17:26 +0200
Source: openvpn
Binary: openvpn
Architecture: source i386
Version: 2.0.6-1
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description: 
 openvpn    - Virtual Private Network daemon
Closes: 360559
Changes: 
 openvpn (2.0.6-1) unstable; urgency=high
 .
   * New upstream release. Urgency high due to security fix.
     - Disallow "setenv" to be pushed to clients from the server.
       (Closes: #360559)
Files: 
 0f2e3c4c5242990924aaf293bc6d1142 623 net optional openvpn_2.0.6-1.dsc
 8d2f95fa825e58363a676b25d4815aa7 664816 net optional openvpn_2.0.6.orig.tar.gz
 5e7423c57c9428c5e88f04fb60227a56 58406 net optional openvpn_2.0.6-1.diff.gz
 ac1ee7921f725b687eb48db59cfd1312 330058 net optional openvpn_2.0.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEM5pXxRSvjkukAcMRAt0jAJ9KN9xcd+4486nlXq2tjZjWWiddgQCgh7Fs
URVMLJSGXGPbBYZSy/mf5pw=
=dUFH
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#360559; Package openvpn. Full text and rfc822 format available.

Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #15 received at 360559@bugs.debian.org (full text, mbox):

From: Geoff Crompton <geoff.crompton@strategicdata.com.au>
To: Debian Bug Tracking System <360559@bugs.debian.org>
Subject: openvpn: CVE-2006-1629?
Date: Wed, 12 Apr 2006 14:33:11 +1000
Package: openvpn
Version: 2.0-1sarge2
Followup-For: Bug #360559

Is this the same as CVE-2006-1629? http://www.securityfocus.com/bid/17392 is
listing sarge as vulnerable. Do you know if the security team is working on 
a fix?

Cheers

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-3-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages openvpn depends on:
ii  debconf                   1.4.30.13      Debian configuration management sy
ii  libc6                     2.3.2.ds1-22   GNU C Library: Shared libraries an
ii  liblzo1                   1.08-1.2       A real-time data compression libra
ii  libssl0.9.7               0.9.7e-3sarge1 SSL shared libraries

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#360559; Package openvpn. Full text and rfc822 format available.

Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #20 received at 360559@bugs.debian.org (full text, mbox):

From: Hendrik Weimer <hendrik@enyo.de>
To: Geoff Crompton <geoff.crompton@strategicdata.com.au>
Cc: 360559@bugs.debian.org
Subject: Re: Bug#360559: openvpn: CVE-2006-1629?
Date: Wed, 12 Apr 2006 16:09:44 +0200
Geoff Crompton <geoff.crompton@strategicdata.com.au> writes:

> Package: openvpn
> Version: 2.0-1sarge2
> Followup-For: Bug #360559
>
> Is this the same as CVE-2006-1629?

Yes, it is.

Hendrik



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#360559; Package openvpn. Full text and rfc822 format available.

Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #25 received at 360559@bugs.debian.org (full text, mbox):

From: Geoff Crompton <geoff.crompton@strategicdata.com.au>
To: security@debian.org
Cc: 360559@bugs.debian.org
Subject: openvpn CVE-2006-1629?
Date: Thu, 13 Apr 2006 10:24:40 +1000
Hi,

Just wondering if there is an openvpn update in the works to fix
CVE-2006-1629?

Cheers
-- 
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#360559; Package openvpn. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #30 received at 360559@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Geoff Crompton <geoff.crompton@strategicdata.com.au>
Cc: security@debian.org, 360559@bugs.debian.org
Subject: Re: openvpn CVE-2006-1629?
Date: Mon, 24 Apr 2006 18:12:17 +0200
Geoff Crompton wrote:
> Just wondering if there is an openvpn update in the works to fix
> CVE-2006-1629?

I'm working on it.

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 02:02:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:14:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.