Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear Release Team, I would like to upload openconnect 6.00-2 for jessie, via unstable, which applies a minimally invasive upstream patch to fix #781240. This bug makes 6.00-1 currently in jessie unusable for certain classes of users. It's currently marked severity important, but I think it could be considered borderline serious. The debdiff for the proposed upload is included inline below. Please consider allowing this into jessie. Thanks for all your hard work, -- mike diff -Nru openconnect-6.00/debian/changelog openconnect-6.00/debian/changelog --- openconnect-6.00/debian/changelog 2014-07-08 22:33:35.000000000 -0400 +++ openconnect-6.00/debian/changelog 2015-03-26 08:34:15.000000000 -0400 @@ -1,3 +1,10 @@ +openconnect (6.00-2) unstable; urgency=medium + + * 01_fix-double-free.patch: Fix double free when PKCS#11 token does + not include CA certs. (Closes: #781240) + + -- Mike Miller <mtmil...@debian.org> Thu, 26 Mar 2015 08:34:14 -0400 + openconnect (6.00-1) unstable; urgency=medium * New upstream release, upload to unstable. diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch openconnect-6.00/debian/patches/01_fix-double-free.patch --- openconnect-6.00/debian/patches/01_fix-double-free.patch 1969-12-31 19:00:00.000000000 -0500 +++ openconnect-6.00/debian/patches/01_fix-double-free.patch 2015-03-26 08:29:53.000000000 -0400 @@ -0,0 +1,39 @@ +From: Paul Donohue <g...@paulsd.com> +Subject: Fix invalid/double free if PKCS#11 token does not include CA certs +Origin: upstream, http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd +Bug-Debian: https://bugs.debian.org/781240 + +Fix invalid/double free if PKCS#11 token does not include CA certs + +Commit b06b862f5 ("Include supporting certificates from PKCS#11 tokens") +calls gnutls_free() on an invalid 't.data' value if +gnutls_pkcs11_get_raw_issuer() returns an error, and calls +gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import() +returns an error. + +If the Issuer cert is not available on the PKCS#11 token, +then gnutls_pkcs11_get_raw_issuer() fails and the call to +gnutls_free(t.data) causes libc to print the following message then +kill the process: +--- a/gnutls.c ++++ b/gnutls.c +@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc + err = gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER); + if (err) + gnutls_x509_crt_deinit(issuer); ++ else ++ free_issuer = 1; + } ++ gnutls_free(t.data); + } + if (err) { + vpn_progress(vpninfo, PRG_ERR, +@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc + vpn_progress(vpninfo, PRG_ERR, + _("Got next CA '%s' from PKCS11\n"), name); + } +- free_issuer = 1; +- gnutls_free(t.data); + } + #endif + if (err) diff -Nru openconnect-6.00/debian/patches/series openconnect-6.00/debian/patches/series --- openconnect-6.00/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ openconnect-6.00/debian/patches/series 2015-03-26 08:19:55.000000000 -0400 @@ -0,0 +1 @@ +01_fix-double-free.patch -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150326134453.ga22...@xps14z.home.local
