Bug#781249: unblock (pre-approval): openconnect/6.00-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
I would like to upload openconnect 6.00-2 for jessie, via unstable,
which applies a minimally invasive upstream patch to fix #781240. This
bug makes 6.00-1 currently in jessie unusable for certain classes of
users. It's currently marked severity important, but I think it could be
considered borderline serious.
The debdiff for the proposed upload is included inline below. Please
consider allowing this into jessie.
Thanks for all your hard work,
--
mike
diff -Nru openconnect-6.00/debian/changelog openconnect-6.00/debian/changelog
--- openconnect-6.00/debian/changelog 2014-07-08 22:33:35.000000000 -0400
+++ openconnect-6.00/debian/changelog 2015-03-26 08:34:15.000000000 -0400
@@ -1,3 +1,10 @@
+openconnect (6.00-2) unstable; urgency=medium
+
+ * 01_fix-double-free.patch: Fix double free when PKCS#11 token does
+ not include CA certs. (Closes: #781240)
+
+ -- Mike Miller <mtmiller@debian.org> Thu, 26 Mar 2015 08:34:14 -0400
+
openconnect (6.00-1) unstable; urgency=medium
* New upstream release, upload to unstable.
diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch openconnect-6.00/debian/patches/01_fix-double-free.patch
--- openconnect-6.00/debian/patches/01_fix-double-free.patch 1969-12-31 19:00:00.000000000 -0500
+++ openconnect-6.00/debian/patches/01_fix-double-free.patch 2015-03-26 08:29:53.000000000 -0400
@@ -0,0 +1,39 @@
+From: Paul Donohue <git@PaulSD.com>
+Subject: Fix invalid/double free if PKCS#11 token does not include CA certs
+Origin: upstream, http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd
+Bug-Debian: https://bugs.debian.org/781240
+
+Fix invalid/double free if PKCS#11 token does not include CA certs
+
+Commit b06b862f5 ("Include supporting certificates from PKCS#11 tokens")
+calls gnutls_free() on an invalid 't.data' value if
+gnutls_pkcs11_get_raw_issuer() returns an error, and calls
+gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import()
+returns an error.
+
+If the Issuer cert is not available on the PKCS#11 token,
+then gnutls_pkcs11_get_raw_issuer() fails and the call to
+gnutls_free(t.data) causes libc to print the following message then
+kill the process:
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc
+ err = gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER);
+ if (err)
+ gnutls_x509_crt_deinit(issuer);
++ else
++ free_issuer = 1;
+ }
++ gnutls_free(t.data);
+ }
+ if (err) {
+ vpn_progress(vpninfo, PRG_ERR,
+@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Got next CA '%s' from PKCS11\n"), name);
+ }
+- free_issuer = 1;
+- gnutls_free(t.data);
+ }
+ #endif
+ if (err)
diff -Nru openconnect-6.00/debian/patches/series openconnect-6.00/debian/patches/series
--- openconnect-6.00/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ openconnect-6.00/debian/patches/series 2015-03-26 08:19:55.000000000 -0400
@@ -0,0 +1 @@
+01_fix-double-free.patch
Reply to: