git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Lev Stipakov <lstipakov@gmail.com>
	Tue, 19 Mar 2024 13:53:45 +0000 (15:53 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Tue, 19 Mar 2024 15:12:05 +0000 (16:12 +0100)
commit	aaea545d8a940f761898d736b68bcb067d503b1d
tree	f0c9466078549c43b1697e013dd32b02443825a3	tree
parent	b25c6d7e861d446b7a2e03cbcfb892d554c1ef73	commit \| diff

win32: Enforce loading of plugins from a trusted directory

Currently, there's a risk associated with allowing plugins to be loaded
from any location. This update ensures plugins are only loaded from a
trusted directory, which is either:

    - HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing,
    then HKLM\SOFTWARE\OpenVPN, which is installation directory)

    - System directory

Loading from UNC paths is disallowed.

Note: This change affects only Windows environments.

CVE: 2024-27903

Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20240319135355.1279-2-lev@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28416.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/plugin.c		diff \| blob \| blame \| history
src/openvpn/win32.c		diff \| blob \| blame \| history
src/openvpn/win32.h		diff \| blob \| blame \| history