Re: Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
> Version : 0.0~git20170129.72dd7f6-1
> Upstream Author : Adhityaa C <c.adhityaa@gmail.com>
> * URL : https://github.com/adtac/autovpn
..
> autovpn is a tool to automatically connect you to a random VPN
> in a country of your choice. It uses openvpn to connect you to a server
> obtained from VPN Gate (http://www.vpngate.net/en/).
I'd strongly urge you to reconsider packaging this project, for
three main reasons:
* It relies upon the external VPNGate.net site/service. If this
goes away in the lifetime of a stable Debian release users will
be screwed.
* It allows security attacks against the local system, which other
users on the host could exploit via symlink attacks on /tmp/openvpnconf
* It allows security attacks on against the local system which the
remote service could exploit:
1. The tool downloads a remote URL to /tmp/openvpnconf
2. The file is then given as an argument to the command:
sudo openvpn /tmp/openvpnconf
3. That generated/downloaded openvpn configuration file could
be written to do anything, up to and including `rm -rf /`.
> A small tool that comes handy in particular for people who travel a lot. Will
> be maintained in the go-team.
Finally the project itself notes:
"This is completely insecure. Please do not use this for anything
important. Get a real and secure VPN. This is mostly a fun tool to
get a VPN for a few minutes."
Steve
--
Reply to: