Package: openconnect / 3.20-4
Metadata
Package | Version | Patches format |
---|---|---|
openconnect | 3.20-4 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
01_man vpnc script path.patch | (download) |
openconnect.8 |
6 3 + 3 - 0 ! |
patch man page to match built-in path to vpnc-script This is specific to the way the package is built for Debian for now, although a change may be proposed to upstream to generate the man page to match the build configuration. |
02_CVE 2012 6128.patch | (download) |
http.c |
163 129 + 34 - 0 ! |
http: fix overflow on http request buffers A malicious VPN gateway can send a very long hostname/path (for redirects) or cookie list (in general), which OpenConnect will attempt to sprintf() into a fixed length buffer. Each HTTP server response line can add roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request, but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is allocated on the stack. The result of passing a long "Location:" header looks like: Attempting to connect to server 127.0.0.1:443 SSL negotiation with localhost Server certificate verify failed: self signed certificate in certificate chain Connected to HTTPS on localhost GET https://localhost/ Got HTTP response: HTTP/1.0 301 Moved Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa' SSL negotiation with localhost Server certificate verify failed: self signed certificate in certificate chain Connected to HTTPS on localhost *** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c] /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700] /lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69] /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d] /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7] /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04] /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d] /scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210] /scr/openconnect2/.libs/lt-openconnect[0x40413f] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d] /scr/openconnect2/.libs/lt-openconnect[0x404579] The proposed fix is to use dynamically allocated buffers with overflow checking. |
03_fix abuse of realloc.patch | (download) |
auth.c |
4 2 + 2 - 0 ! |
fix abuse of realloc() causing memory leaks Implement a helper which actually *does* free the original pointer on allocation failure, as I evidently always expected it to. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700805 Reported by: Niels Thykier <niels@thykier.net> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> |
1