Thanks for that. This patch was sent "with ACK included" to the openvpn-devel@ list because it was developed under embargo (CVE), and reviewed and ACKed in a closed group. I have verified that this patch is identical to the "v4 one" that Selva and the original reporter saw and ACKed.
This is related to plugin loading on windows only. We have discussed the topic of "restricting plugin loading on other platforms" but it's more complex to tackle (it starts with "there is no central registry to put restrictions into", but goes on to "on unix, openvpn runs as root anyway, so we expect this to be done by admins who spend some thought on what scripts and plugin they call, and from which paths") - so we haven't done anything there yet. I have test built this on MinGW/Ubuntu, just for completeness, and via GHA. Haven't tested the result myself (no plugin setup on windows). (I do have a few gripes, but these are more cosmetical - like "make get_openvpn_reg_value() static", and "wrap the long if() condition at the '&&', not in the middle of the function call" - but these are all not important for the functionality) Your patch has been applied to the master, release/2.6 and release/2.5 branch (security relevant bugfix). commit aaea545d8a940f761898d736b68bcb067d503b1d (master) commit 05d321ef980734478a86c5241dad7ba26a748a2f (release/2.6) commit 30bddb1a5426523ef1d61c8a5df2c613ba2a47d3 (release/2.5) Author: Lev Stipakov Date: Tue Mar 19 15:53:45 2024 +0200 win32: Enforce loading of plugins from a trusted directory Signed-off-by: Lev Stipakov <l...@openvpn.net> Acked-by: Selva Nair <selva.n...@gmail.com> Message-Id: <20240319135355.1279-2-...@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html Signed-off-by: Gert Doering <g...@greenie.muc.de> -- kind regards, Gert Doering _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel