[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#781249: unblock (pre-approval): openconnect/6.00-2



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

I would like to upload openconnect 6.00-2 for jessie, via unstable,
which applies a minimally invasive upstream patch to fix #781240. This
bug makes 6.00-1 currently in jessie unusable for certain classes of
users. It's currently marked severity important, but I think it could be
considered borderline serious.

The debdiff for the proposed upload is included inline below. Please
consider allowing this into jessie.

Thanks for all your hard work,

-- 
mike


diff -Nru openconnect-6.00/debian/changelog openconnect-6.00/debian/changelog
--- openconnect-6.00/debian/changelog	2014-07-08 22:33:35.000000000 -0400
+++ openconnect-6.00/debian/changelog	2015-03-26 08:34:15.000000000 -0400
@@ -1,3 +1,10 @@
+openconnect (6.00-2) unstable; urgency=medium
+
+  * 01_fix-double-free.patch: Fix double free when PKCS#11 token does
+    not include CA certs. (Closes: #781240)
+
+ -- Mike Miller <mtmiller@debian.org>  Thu, 26 Mar 2015 08:34:14 -0400
+
 openconnect (6.00-1) unstable; urgency=medium
 
   * New upstream release, upload to unstable.
diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch openconnect-6.00/debian/patches/01_fix-double-free.patch
--- openconnect-6.00/debian/patches/01_fix-double-free.patch	1969-12-31 19:00:00.000000000 -0500
+++ openconnect-6.00/debian/patches/01_fix-double-free.patch	2015-03-26 08:29:53.000000000 -0400
@@ -0,0 +1,39 @@
+From: Paul Donohue <git@PaulSD.com>
+Subject: Fix invalid/double free if PKCS#11 token does not include CA certs
+Origin: upstream, http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd
+Bug-Debian: https://bugs.debian.org/781240
+
+Fix invalid/double free if PKCS#11 token does not include CA certs
+
+Commit b06b862f5 ("Include supporting certificates from PKCS#11 tokens")
+calls gnutls_free() on an invalid 't.data' value if
+gnutls_pkcs11_get_raw_issuer() returns an error, and calls
+gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import()
+returns an error.
+
+If the Issuer cert is not available on the PKCS#11 token,
+then gnutls_pkcs11_get_raw_issuer() fails and the call to
+gnutls_free(t.data) causes libc to print the following message then
+kill the process:
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc
+ 						err = gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER);
+ 						if (err)
+ 							gnutls_x509_crt_deinit(issuer);
++						else
++							free_issuer = 1;
+ 					}
++					gnutls_free(t.data);
+ 				}
+ 				if (err) {
+ 					vpn_progress(vpninfo, PRG_ERR,
+@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc
+ 					vpn_progress(vpninfo, PRG_ERR,
+ 						     _("Got next CA '%s' from PKCS11\n"), name);
+ 				}
+-				free_issuer = 1;
+-				gnutls_free(t.data);
+ 			}
+ #endif
+ 			if (err)
diff -Nru openconnect-6.00/debian/patches/series openconnect-6.00/debian/patches/series
--- openconnect-6.00/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ openconnect-6.00/debian/patches/series	2015-03-26 08:19:55.000000000 -0400
@@ -0,0 +1 @@
+01_fix-double-free.patch


Reply to: