Package: openconnect / 3.20-4

Metadata

Package Version Patches format
openconnect 3.20-4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01_man vpnc script path.patch | (download)

openconnect.8 | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 patch man page to match built-in path to vpnc-script
  This is specific to the way the package is built for Debian for now,
  although a change may be proposed to upstream to generate the man page
  to match the build configuration.
02_CVE 2012 6128.patch | (download)

http.c | 163 129 + 34 - 0 !
1 file changed, 129 insertions(+), 34 deletions(-)

 http: fix overflow on http request buffers

A malicious VPN gateway can send a very long hostname/path (for redirects)
or cookie list (in general), which OpenConnect will attempt to sprintf()
into a fixed length buffer.  Each HTTP server response line can add
roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
allocated on the stack.

The result of passing a long "Location:" header looks like:

    Attempting to connect to server 127.0.0.1:443
    SSL negotiation with localhost
    Server certificate verify failed: self signed certificate in certificate chain
    Connected to HTTPS on localhost
    GET https://localhost/
    Got HTTP response: HTTP/1.0 301 Moved
    Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa'
    SSL negotiation with localhost
    Server certificate verify failed: self signed certificate in certificate chain
    Connected to HTTPS on localhost
    *** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
    ======= Backtrace: =========
    /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
    /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
    /lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
    /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
    /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
    /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
    /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
    /scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
    /scr/openconnect2/.libs/lt-openconnect[0x40413f]
    /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
    /scr/openconnect2/.libs/lt-openconnect[0x404579]

The proposed fix is to use dynamically allocated buffers with overflow
checking.


03_fix abuse of realloc.patch | (download)

auth.c | 4 2 + 2 - 0 !
compat.c | 2 1 + 1 - 0 !
http.c | 8 4 + 4 - 0 !
openconnect-internal.h | 8 8 + 0 - 0 !
4 files changed, 15 insertions(+), 7 deletions(-)

 fix abuse of realloc() causing memory leaks

Implement a helper which actually *does* free the original pointer on
allocation failure, as I evidently always expected it to.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700805

Reported by: Niels Thykier <niels@thykier.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>