Re: [Openvpn-devel] [PATCH] tcp: apply CLOEXEC to accepted socket, not listener
Hi, On Wed, Oct 22, 2025 at 06:06:21PM +, Joshua Rogers wrote: > By the way, as mentioned, this was found with the ZeroPath tool. I was > wondering if it would be of interest to send the raw results of this scanner > to somebody that could allow them to review the findings without me manually > triaging? I have done this with curl > (https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/) and it was > quite succesful (~20% false positive rate). > > If this is of interest, please let me know where to send them. The output is > just markdown, and it includes potential security vulnerabilities. If not, I > will (slowly) continue triaging myself. This is of interest. I'm not really sure where to send this - security bugs go to [email protected], but if it's not security, we should not spam this list. Non-security things could go to GH issues, but *if* there is security relevant things in between, we might want to keep the lid on it, for the moment... So you could send everything my way for a start and I discuss with my co-developers how to do this in the future. I'll then try to triage this in a timely fashion and forward to GH, security@, or just drop :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany [email protected] signature.asc Description: PGP signature ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] tcp: apply CLOEXEC to accepted socket, not listener
Hi all, By the way, as mentioned, this was found with the ZeroPath tool. I was wondering if it would be of interest to send the raw results of this scanner to somebody that could allow them to review the findings without me manually triaging? I have done this with curl (https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/) and it was quite succesful (~20% false positive rate). If this is of interest, please let me know where to send them. The output is just markdown, and it includes potential security vulnerabilities. If not, I will (slowly) continue triaging myself. Thank you. On Wednesday, 22 October 2025 at 13:55, Gert Doering wrote: > > > Hi, > > On Tue, Oct 21, 2025 at 10:34:21PM +0200, Arne Schwabe wrote: > > > Before commiting we have to check that port-share does not rely on this > > behaviour to pass the fd the forked instances. I didn't check right now. > > > Good point. I have a port-share test instance, will test. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany [email protected] ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] tcp: apply CLOEXEC to accepted socket, not listener
Hi, On Tue, Oct 21, 2025 at 10:34:21PM +0200, Arne Schwabe wrote: > Before commiting we have to check that port-share does not rely on this > behaviour to pass the fd the forked instances. I didn't check right now. Good point. I have a port-share test instance, will test. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany [email protected] signature.asc Description: PGP signature ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] tcp: apply CLOEXEC to accepted socket, not listener
Am 21.10.2025 um 21:40 schrieb Gert Doering: Hi, On Tue, Oct 21, 2025 at 06:11:06PM +, Joshua Rogers via Openvpn-devel wrote: The accept path calls set_cloexec(sd) after accept(). That re-flags the listening socket, which is already CLOEXEC from create_socket_tcp(), and leaves new_sd inheritable. As a result, client-connect and auth scripts spawned after accept can inherit the connected socket and read or write the raw TCP stream. This defeats the stated intent to prevent scripts from accessing the client socket. Impressive find. I had to actually look at the code to see what you are talking about :-) So we do new_sd = accept(sd, &act->dest.addr.sa, &remote_len); and then /* set socket file descriptor to not pass across execs, so that * scripts don't have access to it */ set_cloexec(sd); Before commiting we have to check that port-share does not rely on this behaviour to pass the fd the forked instances. I didn't check right now. Arne ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] tcp: apply CLOEXEC to accepted socket, not listener
Hi, On Tue, Oct 21, 2025 at 06:11:06PM +, Joshua Rogers via Openvpn-devel wrote: > The accept path calls set_cloexec(sd) after accept(). That re-flags the > listening socket, which is already CLOEXEC from create_socket_tcp(), and > leaves new_sd inheritable. As a result, client-connect and auth scripts > spawned after accept can inherit the connected socket and read or write > the raw TCP stream. This defeats the stated intent to prevent scripts from > accessing the client socket. Impressive find. I had to actually look at the code to see what you are talking about :-) So we do new_sd = accept(sd, &act->dest.addr.sa, &remote_len); and then /* set socket file descriptor to not pass across execs, so that * scripts don't have access to it */ set_cloexec(sd); return new_sd; which very clearly is not intended behaviour. So, Acked-by: [email protected] will deal with it "as soon as possible" which will take a few days. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany [email protected] signature.asc Description: PGP signature ___ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
