Web lists-archives.com

Re: Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice




Michael Meskes dijo [Mon, Feb 19, 2018 at 12:44:40PM +0100]:
> >   I'd strongly urge you to reconsider packaging this project, for
> >  three main reasons:
> > 
> >   * It relies upon the external VPNGate.net site/service.  If this
> >     goes away in the lifetime of a stable Debian release users will
> >     be screwed.
> 
> That is actually a good point. I wonder if using a local copy might be
> a good alternative.

I suppose the information it downloads is needed to keep the database
up to date. Thinking about a lifetime of ~5 years (stable+oldstable),
I don't think we could work around that

> >   * It allows security attacks on against the local system which the
> >     remote service could exploit:
> > 
> >     1.  The tool downloads a remote URL to /tmp/openvpnconf
> > 
> >     2.  The file is then given as an argument to the command:
> >             sudo openvpn /tmp/openvpnconf
> > 
> >     3.  That generated/downloaded openvpn configuration file could
> >        be written to do anything, up to and including `rm -rf /`.
> 
> Can you actually get openvpn to do this?

Depends on what information you put in /tmp/openvpn.conf, I guess. The
least likely candidates end up opening holes - i.e. remember the quite
recent KDE notifier bug allowing FAT volume labels containing $() to
be executed :-P

I mean - It might be completely OK. But given this creates
configuration for setting up a high-privileged daemon from a public
place, it'd be on you to carefully comb on the relevant parts of the
source to assert the handling of this information is sensible.