Hello community, here is the log from the commit of package openconnect for openSUSE:Leap:15.2 checked in at 2020-05-26 18:32:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/openconnect (Old) and /work/SRC/openSUSE:Leap:15.2/.openconnect.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openconnect" Tue May 26 18:32:21 2020 rev:27 rq:808105 version:7.08 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/openconnect/openconnect.changes 2020-01-15 15:36:49.963002794 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openconnect.new.2738/openconnect.changes 2020-05-26 18:32:26.785584450 +0200 @@ -1,0 +2,6 @@ +Wed May 6 06:55:06 UTC 2020 - Jonathan Kang <[email protected]> + +- Add openconnect-CVE-2020-12105.patch: Use OpenSSL X509_check_host() + and X509_check_ip() correctly(bsc#1170452, CVE-2020-12105). + +------------------------------------------------------------------- New: ---- openconnect-CVE-2020-12105.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openconnect.spec ++++++ --- /var/tmp/diff_new_pack.Cvirj7/_old 2020-05-26 18:32:27.241585447 +0200 +++ /var/tmp/diff_new_pack.Cvirj7/_new 2020-05-26 18:32:27.245585455 +0200 @@ -27,6 +27,8 @@ Source1: vpnc-script # PATCH-FIX-SLE openconnect-CVE-2019-16239.patch bsc#1151178, CVE-2019-16239 [email protected] -- Fix buffer overflow with chunked HTTP handling. Patch0: openconnect-CVE-2019-16239.patch +# PATCH-FIX-UPSTREAM openconnect-CVE-2020-12105.patch bsc#1170452, CVE-2020-12105 [email protected] -- Use OpenSSL X509_check_host() and X509_check_ip() correctly. +Patch1: openconnect-CVE-2020-12105.patch BuildRequires: libgnutls-devel %if 0%{?suse_version} >= 1320 BuildRequires: liblz4-devel @@ -85,6 +87,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %lang_package %build ++++++ openconnect-CVE-2020-12105.patch ++++++ >From f07242df8ad6a0fb1a5b5a584ca086f1a429ee0b Mon Sep 17 00:00:00 2001 From: Jordy Zomer <[email protected]> Date: Thu, 23 Apr 2020 13:28:12 +0200 Subject: [PATCH] Use OpenSSL X509_check_host() and X509_check_ip() correctly. These functions return 1 for a successful match, 0 for a failed match, -1 for an internal error, or -2 if the certificate is malformed. OpenConnect has been treating any value other than zero as a success, meaning that an attacker who could get a trusted CA to issue an invalid certificate (on which the ASN.1 decoder fails, for example), could use that to assume *any* identity. This is CVE-2020-12105. https://gitlab.com/openconnect/openconnect/-/merge_requests/96 Signed-off-by: Jordy Zomer <[email protected]> --- openssl.c | 4 ++-- www/changelog.xml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) Index: openconnect-7.08/openssl.c =================================================================== --- openconnect-7.08.orig/openssl.c +++ openconnect-7.08/openssl.c @@ -1394,7 +1394,7 @@ static int match_cert_hostname(struct op { char *matched = NULL; - if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0)) { + if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0) == 1) { if (vpninfo->verbose >= PRG_DEBUG) { char host[80]; int family; @@ -1413,7 +1413,7 @@ static int match_cert_hostname(struct op } return 0; } - if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched)) { + if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched) == 1) { vpn_progress(vpninfo, PRG_DEBUG, _("Matched peer certificate subject name '%s'\n"), matched);
