Thanks for that.

This patch was sent "with ACK included" to the openvpn-devel@ list because 
it was developed under embargo (CVE), and reviewed and ACKed in a closed
group.  I have verified that this patch is identical to the "v4 one" that
Selva and the original reporter saw and ACKed.

This is related to plugin loading on windows only.  We have discussed the
topic of "restricting plugin loading on other platforms" but it's more
complex to tackle (it starts with "there is no central registry to 
put restrictions into", but goes on to "on unix, openvpn runs as root
anyway, so we expect this to be done by admins who spend some thought
on what scripts and plugin they call, and from which paths") - so we
haven't done anything there yet.

I have test built this on MinGW/Ubuntu, just for completeness, and
via GHA.  Haven't tested the result myself (no plugin setup on windows).

(I do have a few gripes, but these are more cosmetical - like "make
get_openvpn_reg_value() static", and "wrap the long if() condition at 
the '&&', not in the middle of the function call" - but these are all
not important for the functionality)

Your patch has been applied to the master, release/2.6 and release/2.5
branch (security relevant bugfix).

commit aaea545d8a940f761898d736b68bcb067d503b1d (master)
commit 05d321ef980734478a86c5241dad7ba26a748a2f (release/2.6)
commit 30bddb1a5426523ef1d61c8a5df2c613ba2a47d3 (release/2.5)
Author: Lev Stipakov
Date:   Tue Mar 19 15:53:45 2024 +0200

     win32: Enforce loading of plugins from a trusted directory

     Signed-off-by: Lev Stipakov <l...@openvpn.net>
     Acked-by: Selva Nair <selva.n...@gmail.com>
     Message-Id: <20240319135355.1279-2-...@openvpn.net>
     URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html
     Signed-off-by: Gert Doering <g...@greenie.muc.de>


--
kind regards,

Gert Doering



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to