1 |
commit: 27513d77015771f8604d9a21f388e9846c8c650a |
2 |
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue May 12 16:01:57 2020 +0000 |
4 |
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue May 12 16:02:48 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27513d77 |
7 |
|
8 |
net-vpn/openconnect: fix buffer overflow in get_cert_name |
9 |
|
10 |
Closes: https://bugs.gentoo.org/721570 |
11 |
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> |
12 |
|
13 |
.../files/8.09-gnutls-buffer-overflow.patch | 62 ++++++++++++++++++++++ |
14 |
...nect-8.09.ebuild => openconnect-8.09-r1.ebuild} | 3 ++ |
15 |
2 files changed, 65 insertions(+) |
16 |
|
17 |
diff --git a/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch |
18 |
new file mode 100644 |
19 |
index 00000000000..bf8990ae3d3 |
20 |
--- /dev/null |
21 |
+++ b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch |
22 |
@@ -0,0 +1,62 @@ |
23 |
+From eef4c1f9d24478aa1d2dd9ac7ec32efb2137f474 Mon Sep 17 00:00:00 2001 |
24 |
+From: Sergei Trofimovich <slyfox@g.o> |
25 |
+Date: Fri, 8 May 2020 10:39:41 -0400 |
26 |
+Subject: [PATCH] gnutls: prevent buffer overflow in get_cert_name |
27 |
+ |
28 |
+The test suite for ocserv calls openconnect with a certificate that has |
29 |
+a name that is 84 bytes in length. The buffer passed to get_cert_name is |
30 |
+currently 80 bytes. |
31 |
+ |
32 |
+The gnutls_x509_crt_get_dn_by_oid function will update the buffer size |
33 |
+parameter if the buffer is too small. |
34 |
+ |
35 |
+http://man7.org/linux/man-pages/man3/gnutls_x509_crt_get_dn_by_oid.3.html |
36 |
+ |
37 |
+RETURNS |
38 |
+ GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long |
39 |
+ enough, and in that case the buf_size will be updated with the |
40 |
+ required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no |
41 |
+ data in the current index. On success 0 is returned. |
42 |
+ |
43 |
+Use a temporary variable to avoid clobbering the namelen variable that is |
44 |
+passed to get_cert_name. |
45 |
+ |
46 |
+Bug: https://bugs.gentoo.org/721570 |
47 |
+Signed-off-by: Sergei Trofimovich <slyfox@g.o> |
48 |
+Signed-off-by: Mike Gilbert <floppym@g.o> |
49 |
+--- |
50 |
+ gnutls.c | 17 ++++++++++++----- |
51 |
+ 1 file changed, 12 insertions(+), 5 deletions(-) |
52 |
+ |
53 |
+diff --git a/gnutls.c b/gnutls.c |
54 |
+index 36bc82e0..53bf2a43 100644 |
55 |
+--- a/gnutls.c |
56 |
++++ b/gnutls.c |
57 |
+@@ -546,12 +546,19 @@ static int count_x509_certificates(gnutls_datum_t *datum) |
58 |
+ |
59 |
+ static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen) |
60 |
+ { |
61 |
++ /* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will |
62 |
++ * update the length argument to the required size, and return |
63 |
++ * GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original |
64 |
++ * length variable. */ |
65 |
++ size_t nl = namelen; |
66 |
+ if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, |
67 |
+- 0, 0, name, &namelen) && |
68 |
+- gnutls_x509_crt_get_dn(cert, name, &namelen)) { |
69 |
+- name[namelen-1] = 0; |
70 |
+- snprintf(name, namelen-1, "<unknown>"); |
71 |
+- return -EINVAL; |
72 |
++ 0, 0, name, &nl)) { |
73 |
++ nl = namelen; |
74 |
++ if (gnutls_x509_crt_get_dn(cert, name, &nl)) { |
75 |
++ name[namelen-1] = 0; |
76 |
++ snprintf(name, namelen-1, "<unknown>"); |
77 |
++ return -EINVAL; |
78 |
++ } |
79 |
+ } |
80 |
+ return 0; |
81 |
+ } |
82 |
+-- |
83 |
+2.26.2 |
84 |
+ |
85 |
|
86 |
diff --git a/net-vpn/openconnect/openconnect-8.09.ebuild b/net-vpn/openconnect/openconnect-8.09-r1.ebuild |
87 |
similarity index 97% |
88 |
rename from net-vpn/openconnect/openconnect-8.09.ebuild |
89 |
rename to net-vpn/openconnect/openconnect-8.09-r1.ebuild |
90 |
index 5e1e96852d1..a55ca7731ca 100644 |
91 |
--- a/net-vpn/openconnect/openconnect-8.09.ebuild |
92 |
+++ b/net-vpn/openconnect/openconnect-8.09-r1.ebuild |
93 |
@@ -78,6 +78,9 @@ src_unpack() { |
94 |
} |
95 |
|
96 |
src_prepare() { |
97 |
+ local PATCHES=( |
98 |
+ "${FILESDIR}"/8.09-gnutls-buffer-overflow.patch |
99 |
+ ) |
100 |
default |
101 |
if [[ ${PV} == 9999 ]]; then |
102 |
eautoreconf |