--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock (pre-approval): openconnect/6.00-2
- From: Mike Miller <mtmiller@debian.org>
- Date: Thu, 26 Mar 2015 09:44:53 -0400
- Message-id: <20150326134453.GA22273@xps14z.home.local>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
I would like to upload openconnect 6.00-2 for jessie, via unstable,
which applies a minimally invasive upstream patch to fix #781240. This
bug makes 6.00-1 currently in jessie unusable for certain classes of
users. It's currently marked severity important, but I think it could be
considered borderline serious.
The debdiff for the proposed upload is included inline below. Please
consider allowing this into jessie.
Thanks for all your hard work,
--
mike
diff -Nru openconnect-6.00/debian/changelog openconnect-6.00/debian/changelog
--- openconnect-6.00/debian/changelog 2014-07-08 22:33:35.000000000 -0400
+++ openconnect-6.00/debian/changelog 2015-03-26 08:34:15.000000000 -0400
@@ -1,3 +1,10 @@
+openconnect (6.00-2) unstable; urgency=medium
+
+ * 01_fix-double-free.patch: Fix double free when PKCS#11 token does
+ not include CA certs. (Closes: #781240)
+
+ -- Mike Miller <mtmiller@debian.org> Thu, 26 Mar 2015 08:34:14 -0400
+
openconnect (6.00-1) unstable; urgency=medium
* New upstream release, upload to unstable.
diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch openconnect-6.00/debian/patches/01_fix-double-free.patch
--- openconnect-6.00/debian/patches/01_fix-double-free.patch 1969-12-31 19:00:00.000000000 -0500
+++ openconnect-6.00/debian/patches/01_fix-double-free.patch 2015-03-26 08:29:53.000000000 -0400
@@ -0,0 +1,39 @@
+From: Paul Donohue <git@PaulSD.com>
+Subject: Fix invalid/double free if PKCS#11 token does not include CA certs
+Origin: upstream, http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd
+Bug-Debian: https://bugs.debian.org/781240
+
+Fix invalid/double free if PKCS#11 token does not include CA certs
+
+Commit b06b862f5 ("Include supporting certificates from PKCS#11 tokens")
+calls gnutls_free() on an invalid 't.data' value if
+gnutls_pkcs11_get_raw_issuer() returns an error, and calls
+gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import()
+returns an error.
+
+If the Issuer cert is not available on the PKCS#11 token,
+then gnutls_pkcs11_get_raw_issuer() fails and the call to
+gnutls_free(t.data) causes libc to print the following message then
+kill the process:
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc
+ err = gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER);
+ if (err)
+ gnutls_x509_crt_deinit(issuer);
++ else
++ free_issuer = 1;
+ }
++ gnutls_free(t.data);
+ }
+ if (err) {
+ vpn_progress(vpninfo, PRG_ERR,
+@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Got next CA '%s' from PKCS11\n"), name);
+ }
+- free_issuer = 1;
+- gnutls_free(t.data);
+ }
+ #endif
+ if (err)
diff -Nru openconnect-6.00/debian/patches/series openconnect-6.00/debian/patches/series
--- openconnect-6.00/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ openconnect-6.00/debian/patches/series 2015-03-26 08:19:55.000000000 -0400
@@ -0,0 +1 @@
+01_fix-double-free.patch
--- End Message ---
--- Begin Message ---
On 2015-04-08 15:24, Mike Miller wrote:
> On Sat, Mar 28, 2015 at 16:21:11 -0400, Mike Miller wrote:
>> On Sat, Mar 28, 2015 at 08:32:53 +0100, Niels Thykier wrote:
>>> Ack, please go ahead.
>>
>> Uploaded, thanks.
>
> Ping, openconnect is ready to migrate to testing, can it be unblocked?
>
> Thanks,
>
Unblocked, thanks.
Apologies for the tardiness.
~Niels
--- End Message ---