This patch fixes CVE-2005-3393

------------------------------------------------------------------------
r735 | james | 2005-10-30 13:17:35 -0700 (Sun, 30 Oct 2005) | 15 lines

Security fix -- Affects non-Windows OpenVPN clients of
version 2.0 or higher which connect to a malicious or
compromised server.  A format string vulnerability
in the foreign_option function in options.c could
potentially allow a malicious or compromised server
to execute arbitrary code on the client.  Only
non-Windows clients are affected.  The vulnerability
only exists if (a) the client's TLS negotiation with
the server succeeds, (b) the server is malicious or
has been compromised such that it is configured to
push a maliciously crafted options string to the client,
and (c) the client indicates its willingness to accept
pushed options from the server by having "pull" or
"client" in its configuration file (Credit: Vade79).

This patch is applicable to OpenVPN 2.0, 2.0.1, and 2.0.2.
OpenVPN 2.0.4 and higher already contains this patch.

------------------------------------------------------------------------
Index: options.c
===================================================================
--- options.c	(revision 734)
+++ options.c	(revision 735)
@@ -2108,7 +2108,7 @@
 	    {
 	      if (!first)
 		buf_printf (&value, " ");
-	      buf_printf (&value, argv[i]);
+	      buf_printf (&value, "%s", argv[i]);
 	      first = false;
 	    }
 	}