This patch fixes CVE-2005-3393 ------------------------------------------------------------------------ r735 | james | 2005-10-30 13:17:35 -0700 (Sun, 30 Oct 2005) | 15 lines Security fix -- Affects non-Windows OpenVPN clients of version 2.0 or higher which connect to a malicious or compromised server. A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79). This patch is applicable to OpenVPN 2.0, 2.0.1, and 2.0.2. OpenVPN 2.0.4 and higher already contains this patch. ------------------------------------------------------------------------ Index: options.c =================================================================== --- options.c (revision 734) +++ options.c (revision 735) @@ -2108,7 +2108,7 @@ { if (!first) buf_printf (&value, " "); - buf_printf (&value, argv[i]); + buf_printf (&value, "%s", argv[i]); first = false; } }