"CVE-2008-3459: Remote command execution"

Debian Bug report logs - #493488
"CVE-2008-3459: Remote command execution"

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: Command execution through remotely received configuration directives

Date: Sat, 02 Aug 2008 22:44:33 +0200

Package: openvpn
Version: 2.1~rc8-1
Tags: security
Severity: grave

| * Security Fix -- affects non-Windows OpenVPN clients running
|    OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
|    vulnerable nor are any versions of the OpenVPN server vulnerable).
|    An OpenVPN client connecting to a malicious or compromised
|    server could potentially receive an "lladdr" or "iproute"
|    configuration directive from the server which could cause arbitrary
|    code execution on the client. A successful attack requires that (a)
|    the client has agreed to allow the server to push configuration
|    directives to it by including "pull" or the macro "client" in its
|    configuration file, (b) the client successfully authenticates the
|    server, (c) the server is malicious or has been compromised and is
|    under the control of the attacker, and (d) the client is running a
|    non-Windows OS.  Credit: David Wagner.
| 
| * Miscellaneous defensive programming changes to multiple
|    areas of the code.  In particular, use of the system() call
|    for calling executables such as ifconfig, route, and
|    user-defined scripts has been completely revamped in favor
|    of execve() on unix and CreateProcess() on Windows.

<http://openvpn.net/index.php/documentation/change-log/changelog-21.html>

CVE not yet known.

Message #10 received at 493488@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: control@bugs.debian.org

Cc: 493488@bugs.debian.org

Subject: CVE id assigned

Date: Sat, 9 Aug 2008 16:33:55 +1000

[Message part 1 (text/plain, inline)]

retitle 493488 "CVE-2008-3459: Command execution through remotely received 
configuration directives"
thanks

Hi

CVE-2008-3459[0] was assigned to this issue.
Please mention the CVE id in your changelog, when you fix this bug.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3459

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 493488@bugs.debian.org (full text, mbox, reply):

From: Tristan Hill <stan@saticed.me.uk>

To: 493488@bugs.debian.org

Subject: Updated debian_openssl_vulnkeys.patch

Date: Mon, 11 Aug 2008 07:58:20 +0100

[Message part 1 (text/plain, inline)]

To upgrade the current package to rc9 the debian_openssl_vulnkeys.patch
needed some work due to upstream changes.  Attached is updated version
on the hope it might be useful.

Regards
Tristan

[debian_openssl_vulnkeys.patch (text/x-patch, attachment)]

Message #24 received at 493488-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 493488-close@bugs.debian.org

Subject: Bug#493488: fixed in openvpn 2.1~rc9-1

Date: Mon, 11 Aug 2008 18:02:04 +0000

Source: openvpn
Source-Version: 2.1~rc9-1

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive:

openvpn_2.1~rc9-1.diff.gz
  to pool/main/o/openvpn/openvpn_2.1~rc9-1.diff.gz
openvpn_2.1~rc9-1.dsc
  to pool/main/o/openvpn/openvpn_2.1~rc9-1.dsc
openvpn_2.1~rc9-1_i386.deb
  to pool/main/o/openvpn/openvpn_2.1~rc9-1_i386.deb
openvpn_2.1~rc9.orig.tar.gz
  to pool/main/o/openvpn/openvpn_2.1~rc9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 493488@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 11 Aug 2008 19:40:11 +0200
Source: openvpn
Binary: openvpn
Architecture: source i386
Version: 2.1~rc9-1
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description: 
 openvpn    - virtual private network daemon
Closes: 493488
Changes: 
 openvpn (2.1~rc9-1) unstable; urgency=high
 .
   * New upstream version.
   * Urgency high since it fixes a security bug in versions
     2.1-beta14 to 2.1-rc8. CVE-2008-3459. (Closes: #493488)
   * Added sample-scripts/ to examples directory.
   * Thanks Tristan Hill for rewritten debian_openssl_vulnkeys.patch
Checksums-Sha1: 
 0b1cf212d7ecb91bd3aae9d79ed623c156f441c4 1055 openvpn_2.1~rc9-1.dsc
 56b01fd9b2cdd8bd4c2257d91b9b879a6f9db1d8 818716 openvpn_2.1~rc9.orig.tar.gz
 4a5650e24c5df8bfccd81ff5e31565dd5282daf4 80393 openvpn_2.1~rc9-1.diff.gz
 f3f907851f171ce753fd96126d6d409a737eecbf 399642 openvpn_2.1~rc9-1_i386.deb
Checksums-Sha256: 
 eae94f704b161e37d9e2f2332a6af12ea16e039af468805e2ec71171d016136c 1055 openvpn_2.1~rc9-1.dsc
 f73ec227a5fb7f4c73190e7ae52a59a4db149e8d628f22e8a0a762a58fbb424d 818716 openvpn_2.1~rc9.orig.tar.gz
 a0c58219854712a6ec22cd49371ccb40d5a4d82c7743d12b4e35ab728dc34612 80393 openvpn_2.1~rc9-1.diff.gz
 78562eda248efcf97d1eb11dd75a2ad4adc489b1b83ddc8757cdfe7826e9a739 399642 openvpn_2.1~rc9-1_i386.deb
Files: 
 3f94ba64021aa9b6a66ee6d0ff69b44a 1055 net optional openvpn_2.1~rc9-1.dsc
 f435e4ad43cf4323e942da570bae4951 818716 net optional openvpn_2.1~rc9.orig.tar.gz
 d4429356670cff7998d9ea1bd06e4cb7 80393 net optional openvpn_2.1~rc9-1.diff.gz
 2e0ee61cd74b7f6b06bb89fc127824e6 399642 net optional openvpn_2.1~rc9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkigejwACgkQxRSvjkukAcPGkACgkmz6h+bidjOjiwAoG959zVLF
sKcAoNDADsBqTbvCgjltPqQc2QswPH03
=5FXk
-----END PGP SIGNATURE-----

Message #29 received at 493488@bugs.debian.org (full text, mbox, reply):

From: Peter Rabbitson <rabbit+bugs@rabbit.us>

To: 493488@bugs.debian.org

Subject: This "bugfix" is way too heavy and breaks existing setups

Date: Thu, 14 Aug 2008 13:51:47 +0200

Hi,

This fix breaks the following setup:

1) Server A provides openvpn connectivity to clients
2) Servers X Y and Z are configured as VPN clients and provide some http
services both to the outside internet and to any VPN clients.
3) The http services are configured in a way that mandates password
authentication via an SSL channel, except when communicating with other
VPN clients.
4) Server A supplies 'push "route hostname.of.[X|Y|Z].server"', because
the servers in question are development machines, which can (and do)
change their IP addresses rather frequently.

With the current "fix" point 4 becomes impractical, and now besides
updates to the dns (which are automatic) I have to update the server
config every time something changes (which unfortunately is manual).

It would be desirable that the code attached below can be disabled with
some sort of configuration switch (i.e. --route-fqdn-pull).

Thank you

Peter



options.c
---------------------------------------
  else if (streq (p[0], "route") && p[1])
    {
      VERIFY_PERMISSION (OPT_P_ROUTE);
      rol_check_alloc (options);
      if (pull_mode)
	{
	  if (!ip_addr_dotted_quad_safe (p[1]) && !is_special_addr (p[1]))
	    {
	      msg (msglevel, "route parameter network/IP '%s' is not an IP
address", p[1]);
	      goto err;
	    }
	  if (p[2] && !ip_addr_dotted_quad_safe (p[2]))
	    {
	      msg (msglevel, "route parameter netmask '%s' is not an IP
address", p[2]);
	      goto err;
	    }
	  if (p[3] && !ip_addr_dotted_quad_safe (p[3]) && !is_special_addr (p[3]))
	    {
	      msg (msglevel, "route parameter gateway '%s' is not an IP
address", p[3]);
	      goto err;
	    }
	}
      add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
    }
---------------------------------------

Send a report that this bug log contains spam.