This is another "developed in secrecy on the security@ mailing list"
patch, because it has security implications.

It affects windows builds, where it is possible to have two different
processes provide a pipe with the same name (ewwww!), and a connecting
client will might not end up at the interactive service but at "some
random process".  This is not a major issue in itself, but the GUI sends
a "user credentials token" (so openvpn.exe can be run as "normal user"
later on) and this can be abused by a malicious process to get access
to the user running openvpn-gui.exe - now, it's a somewhat theoretical
attack (malicious software having sufficient privileges to do use
a user token, but not having either "that user access" or "system privs"
to start with) - but it's worth fixing.

So, just stay calm, don't panic, and upgrade to 2.6.11 ;-)

I have not tested this beyond "does it compile?" on a local
ubuntu/mingw build and on GHA.  Lev, Selva and Heiko did all the
grunt work on coming up with a solution and testing the patch.

Your patch has been applied to the release/2.6 branch.  A rebase to
master is in the works (this conflicted with the snprintf() cleanup
patch, which is "only in master" and was merged right after *this*
was developed and tested).

Backport to release/2.5 is not fully straightforward either - there have
been a number of fixes to interactive.c, and not all of them have been
backported.  OTOH, we do not intend to provide 2.5.x windows binaries 
ever again (and said so at 2.5.10 release), so now is the time to
upgrade your windows clients to 2.6.x

commit 51301eb6c233c284270e3f4ed0c7f5781f2b5c62 (release/2.6)
Author: Lev Stipakov
Date:   Wed Jun 19 16:44:23 2024 +0300

     interactive.c: Improve access control for gui<->service pipe

     Signed-off-by: Lev Stipakov <l...@openvpn.net>
     Acked-by: Selva Nair <selva.n...@gmail.com>
     Message-Id: <20240619134451.222-1-...@openvpn.net>
     URL: 
https://www.mail-archive.com/search?l=mid&q=20240619134451.222-1-...@openvpn.net
     Signed-off-by: Gert Doering <g...@greenie.muc.de>


--
kind regards,

Gert Doering



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to