This is a somewhat long-standing "unpleasantness" - it was reported twice
as a security vulnerability, so really time to fix it (thanks, Lev).

We do not consider it CVE worthy, as you can't actually achieve anything
with this mechanism that you can't do otherwise (like, "if you can create
a directory here, you already have to have Admin privileges" or "if you
can trick a user into running this .ovpn config, it becomes more of a
social engineering attack").  But it's a bug, as the code doesn't do what
we claim it does, so it's good that it is fixed now ;-)

I have not actively tested it.  I have stared a bit at the code, and
rely on Arne's +2, and all the buildbots claim "things still work"
(though we don't currently test "plugins on a windows client" *ahem*).

There is a unit test (test_misc), which is run by GHA -> tested, works.

Your patch has been applied to the master, release/2.7 and release/2.6
branch.  The unit test in release/2.6 looks different enough that this
needs major work, so I decided to skip that.  The rest of the files
involved had only trivial conflicts in context.

2.5 *does* have the "normalized_plugin_dir" comparison, but since we 
do no releases on 2.5.x anymore, there will never be "fixed windows
binaries".  Who wants that needs to backport & build themselves.

commit c553bb511f074b27334d54a1ce2d4d0c03a9d3e0 (master)
commit 7267b93e8ed3f748af69211a8b9b2e1244dcb79f (release/2.7)
commit 0bb1f2c4ae8c6149bf751aebaeb4da02adfc7a75 (release/2.6)
Author: Lev Stipakov
Date:   Mon Jun 29 14:48:34 2026 +0200

     win32: fix plugin trusted-dir check prefix bypass

     Signed-off-by: Lev Stipakov <[email protected]>
     Acked-by: Arne Schwabe <[email protected]>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1736
     Message-Id: <[email protected]>
     URL: 
https://www.mail-archive.com/[email protected]/msg37382.html
     Signed-off-by: Gert Doering <[email protected]>


--
kind regards,

Gert Doering



_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to