Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice

To: Michael Meskes <meskes@debian.org>
Cc: Steve Kemp <steve@steve.org.uk>, 890816@bugs.debian.org, debian-devel@lists.debian.org
Subject: Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
From: Gunnar Wolf <gwolf@debian.org>
Date: Tue, 20 Feb 2018 12:13:51 -0600
Message-id: <[🔎] 20180220181351.5clpcdbyfvvt5ad2@gwolf.org>
Reply-to: Gunnar Wolf <gwolf@debian.org>, 890816@bugs.debian.org
In-reply-to: <[🔎] 1519040680.2249.78.camel@debian.org>
References: <[🔎] 151903374360.26582.6225833500544932274.reportbug@feivel> <[🔎] 20180219104939.lrq4tlstqcipee4z@steve.org.uk> <[🔎] 1519040680.2249.78.camel@debian.org> <[🔎] 151903374360.26582.6225833500544932274.reportbug@feivel>

Michael Meskes dijo [Mon, Feb 19, 2018 at 12:44:40PM +0100]:
> >   I'd strongly urge you to reconsider packaging this project, for
> >  three main reasons:
> > 
> >   * It relies upon the external VPNGate.net site/service.  If this
> >     goes away in the lifetime of a stable Debian release users will
> >     be screwed.
> 
> That is actually a good point. I wonder if using a local copy might be
> a good alternative.

I suppose the information it downloads is needed to keep the database
up to date. Thinking about a lifetime of ~5 years (stable+oldstable),
I don't think we could work around that

> >   * It allows security attacks on against the local system which the
> >     remote service could exploit:
> > 
> >     1.  The tool downloads a remote URL to /tmp/openvpnconf
> > 
> >     2.  The file is then given as an argument to the command:
> >             sudo openvpn /tmp/openvpnconf
> > 
> >     3.  That generated/downloaded openvpn configuration file could
> >        be written to do anything, up to and including `rm -rf /`.
> 
> Can you actually get openvpn to do this?

Depends on what information you put in /tmp/openvpn.conf, I guess. The
least likely candidates end up opening holes - i.e. remember the quite
recent KDE notifier bug allowing FAT volume labels containing $() to
be executed :-P

I mean - It might be completely OK. But given this creates
configuration for setting up a high-privileged daemon from a public
place, it'd be on you to carefully comb on the relevant parts of the
source to assert the handling of this information is sensible.

Reply to:

References:
- Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
  - From: Michael Meskes <meskes@debian.org>
- Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
  - From: Steve Kemp <steve@steve.org.uk>
- Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
  - From: Michael Meskes <meskes@debian.org>

Prev by Date: Bug#890915: ITP: libsignal-service-java -- A Java library for communicating via Signal
Next by Date: Bug#856179: ITP: polybar -- fast and easy-to-use status bar
Previous by thread: Bug#890816: ITP: autovpn -- Connect to a VPN in a country of your choice
Next by thread: Bug#890816: marked as done (ITP: autovpn -- Connect to a VPN in a country of your choice)
Index(es):
- Date
- Thread