Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear Release Team,
I would like to upload openconnect 6.00-2 for jessie, via unstable,
which applies a minimally invasive upstream patch to fix #781240. This
bug makes 6.00-1 currently in jessie unusable for certain classes of
users. It's currently marked severity important, but I think it could be
considered borderline serious.
The debdiff for the proposed upload is included inline below. Please
consider allowing this into jessie.
Thanks for all your hard work,
--
mike
diff -Nru openconnect-6.00/debian/changelog openconnect-6.00/debian/changelog
--- openconnect-6.00/debian/changelog 2014-07-08 22:33:35.0 -0400
+++ openconnect-6.00/debian/changelog 2015-03-26 08:34:15.0 -0400
@@ -1,3 +1,10 @@
+openconnect (6.00-2) unstable; urgency=medium
+
+ * 01_fix-double-free.patch: Fix double free when PKCS#11 token does
+not include CA certs. (Closes: #781240)
+
+ -- Mike Miller mtmil...@debian.org Thu, 26 Mar 2015 08:34:14 -0400
+
openconnect (6.00-1) unstable; urgency=medium
* New upstream release, upload to unstable.
diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch
openconnect-6.00/debian/patches/01_fix-double-free.patch
--- openconnect-6.00/debian/patches/01_fix-double-free.patch1969-12-31
19:00:00.0 -0500
+++ openconnect-6.00/debian/patches/01_fix-double-free.patch2015-03-26
08:29:53.0 -0400
@@ -0,0 +1,39 @@
+From: Paul Donohue g...@paulsd.com
+Subject: Fix invalid/double free if PKCS#11 token does not include CA certs
+Origin: upstream,
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd
+Bug-Debian: https://bugs.debian.org/781240
+
+Fix invalid/double free if PKCS#11 token does not include CA certs
+
+Commit b06b862f5 (Include supporting certificates from PKCS#11 tokens)
+calls gnutls_free() on an invalid 't.data' value if
+gnutls_pkcs11_get_raw_issuer() returns an error, and calls
+gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import()
+returns an error.
+
+If the Issuer cert is not available on the PKCS#11 token,
+then gnutls_pkcs11_get_raw_issuer() fails and the call to
+gnutls_free(t.data) causes libc to print the following message then
+kill the process:
+--- a/gnutls.c
b/gnutls.c
+@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc
+ err =
gnutls_x509_crt_import(issuer, t, GNUTLS_X509_FMT_DER);
+ if (err)
+
gnutls_x509_crt_deinit(issuer);
++ else
++ free_issuer = 1;
+ }
++ gnutls_free(t.data);
+ }
+ if (err) {
+ vpn_progress(vpninfo, PRG_ERR,
+@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc
+ vpn_progress(vpninfo, PRG_ERR,
+_(Got next CA '%s' from
PKCS11\n), name);
+ }
+- free_issuer = 1;
+- gnutls_free(t.data);
+ }
+ #endif
+ if (err)
diff -Nru openconnect-6.00/debian/patches/series
openconnect-6.00/debian/patches/series
--- openconnect-6.00/debian/patches/series 1969-12-31 19:00:00.0
-0500
+++ openconnect-6.00/debian/patches/series 2015-03-26 08:19:55.0
-0400
@@ -0,0 +1 @@
+01_fix-double-free.patch
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
