Bug#781249: marked as done (unblock (pre-approval): openconnect/6.00-2)

[Debian Bug Tracking System]

Your message dated Wed, 08 Apr 2015 16:55:35 +0200
with message-id <55254167.9090...@thykier.net>
and subject line Re: Bug#781249: unblock (pre-approval): openconnect/6.00-2
has caused the Debian Bug report #781249,
regarding unblock (pre-approval): openconnect/6.00-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
781249: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781249
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Dear Release Team,

I would like to upload openconnect 6.00-2 for jessie, via unstable,
which applies a minimally invasive upstream patch to fix #781240. This
bug makes 6.00-1 currently in jessie unusable for certain classes of
users. It's currently marked severity important, but I think it could be
considered borderline serious.

The debdiff for the proposed upload is included inline below. Please
consider allowing this into jessie.

Thanks for all your hard work,

-- 
mike


diff -Nru openconnect-6.00/debian/changelog openconnect-6.00/debian/changelog
--- openconnect-6.00/debian/changelog   2014-07-08 22:33:35.000000000 -0400
+++ openconnect-6.00/debian/changelog   2015-03-26 08:34:15.000000000 -0400
@@ -1,3 +1,10 @@
+openconnect (6.00-2) unstable; urgency=medium
+
+  * 01_fix-double-free.patch: Fix double free when PKCS#11 token does
+    not include CA certs. (Closes: #781240)
+
+ -- Mike Miller <mtmil...@debian.org>  Thu, 26 Mar 2015 08:34:14 -0400
+
 openconnect (6.00-1) unstable; urgency=medium
 
   * New upstream release, upload to unstable.
diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch 
openconnect-6.00/debian/patches/01_fix-double-free.patch
--- openconnect-6.00/debian/patches/01_fix-double-free.patch    1969-12-31 
19:00:00.000000000 -0500
+++ openconnect-6.00/debian/patches/01_fix-double-free.patch    2015-03-26 
08:29:53.000000000 -0400
@@ -0,0 +1,39 @@
+From: Paul Donohue <g...@paulsd.com>
+Subject: Fix invalid/double free if PKCS#11 token does not include CA certs
+Origin: upstream, 
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd
+Bug-Debian: https://bugs.debian.org/781240
+
+Fix invalid/double free if PKCS#11 token does not include CA certs
+
+Commit b06b862f5 ("Include supporting certificates from PKCS#11 tokens")
+calls gnutls_free() on an invalid 't.data' value if
+gnutls_pkcs11_get_raw_issuer() returns an error, and calls
+gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import()
+returns an error.
+
+If the Issuer cert is not available on the PKCS#11 token,
+then gnutls_pkcs11_get_raw_issuer() fails and the call to
+gnutls_free(t.data) causes libc to print the following message then
+kill the process:
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc
+                                               err = 
gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER);
+                                               if (err)
+                                                       
gnutls_x509_crt_deinit(issuer);
++                                              else
++                                                      free_issuer = 1;
+                                       }
++                                      gnutls_free(t.data);
+                               }
+                               if (err) {
+                                       vpn_progress(vpninfo, PRG_ERR,
+@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc
+                                       vpn_progress(vpninfo, PRG_ERR,
+                                                    _("Got next CA '%s' from 
PKCS11\n"), name);
+                               }
+-                              free_issuer = 1;
+-                              gnutls_free(t.data);
+                       }
+ #endif
+                       if (err)
diff -Nru openconnect-6.00/debian/patches/series 
openconnect-6.00/debian/patches/series
--- openconnect-6.00/debian/patches/series      1969-12-31 19:00:00.000000000 
-0500
+++ openconnect-6.00/debian/patches/series      2015-03-26 08:19:55.000000000 
-0400
@@ -0,0 +1 @@
+01_fix-double-free.patch

--- End Message ---

--- Begin Message ---

On 2015-04-08 15:24, Mike Miller wrote:
> On Sat, Mar 28, 2015 at 16:21:11 -0400, Mike Miller wrote:
>> On Sat, Mar 28, 2015 at 08:32:53 +0100, Niels Thykier wrote:
>>> Ack, please go ahead.
>>
>> Uploaded, thanks.
> 
> Ping, openconnect is ready to migrate to testing, can it be unblocked?
> 
> Thanks,
> 

Unblocked, thanks.

Apologies for the tardiness.

~Niels

--- End Message ---