diff options
author | Mike Gilbert <floppym@gentoo.org> | 2020-05-12 12:01:57 -0400 |
---|---|---|
committer | Mike Gilbert <floppym@gentoo.org> | 2020-05-12 12:02:48 -0400 |
commit | 27513d77015771f8604d9a21f388e9846c8c650a (patch) | |
tree | 4a7e357e817f569f48a06e9af400293dc4b491ba /net-vpn | |
parent | app-misc/go-jira: remove old (diff) | |
download | gentoo-27513d77015771f8604d9a21f388e9846c8c650a.tar.gz gentoo-27513d77015771f8604d9a21f388e9846c8c650a.tar.bz2 gentoo-27513d77015771f8604d9a21f388e9846c8c650a.zip |
net-vpn/openconnect: fix buffer overflow in get_cert_name
Closes: https://bugs.gentoo.org/721570
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Diffstat (limited to 'net-vpn')
-rw-r--r-- | net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch | 62 | ||||
-rw-r--r-- | net-vpn/openconnect/openconnect-8.09-r1.ebuild (renamed from net-vpn/openconnect/openconnect-8.09.ebuild) | 3 |
2 files changed, 65 insertions, 0 deletions
diff --git a/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch new file mode 100644 index 000000000000..bf8990ae3d3c --- /dev/null +++ b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch @@ -0,0 +1,62 @@ +From eef4c1f9d24478aa1d2dd9ac7ec32efb2137f474 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich <slyfox@gentoo.org> +Date: Fri, 8 May 2020 10:39:41 -0400 +Subject: [PATCH] gnutls: prevent buffer overflow in get_cert_name + +The test suite for ocserv calls openconnect with a certificate that has +a name that is 84 bytes in length. The buffer passed to get_cert_name is +currently 80 bytes. + +The gnutls_x509_crt_get_dn_by_oid function will update the buffer size +parameter if the buffer is too small. + +http://man7.org/linux/man-pages/man3/gnutls_x509_crt_get_dn_by_oid.3.html + +RETURNS + GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long + enough, and in that case the buf_size will be updated with the + required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no + data in the current index. On success 0 is returned. + +Use a temporary variable to avoid clobbering the namelen variable that is +passed to get_cert_name. + +Bug: https://bugs.gentoo.org/721570 +Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> +Signed-off-by: Mike Gilbert <floppym@gentoo.org> +--- + gnutls.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/gnutls.c b/gnutls.c +index 36bc82e0..53bf2a43 100644 +--- a/gnutls.c ++++ b/gnutls.c +@@ -546,12 +546,19 @@ static int count_x509_certificates(gnutls_datum_t *datum) + + static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen) + { ++ /* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will ++ * update the length argument to the required size, and return ++ * GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original ++ * length variable. */ ++ size_t nl = namelen; + if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, +- 0, 0, name, &namelen) && +- gnutls_x509_crt_get_dn(cert, name, &namelen)) { +- name[namelen-1] = 0; +- snprintf(name, namelen-1, "<unknown>"); +- return -EINVAL; ++ 0, 0, name, &nl)) { ++ nl = namelen; ++ if (gnutls_x509_crt_get_dn(cert, name, &nl)) { ++ name[namelen-1] = 0; ++ snprintf(name, namelen-1, "<unknown>"); ++ return -EINVAL; ++ } + } + return 0; + } +-- +2.26.2 + diff --git a/net-vpn/openconnect/openconnect-8.09.ebuild b/net-vpn/openconnect/openconnect-8.09-r1.ebuild index 5e1e96852d18..a55ca7731ca9 100644 --- a/net-vpn/openconnect/openconnect-8.09.ebuild +++ b/net-vpn/openconnect/openconnect-8.09-r1.ebuild @@ -78,6 +78,9 @@ src_unpack() { } src_prepare() { + local PATCHES=( + "${FILESDIR}"/8.09-gnutls-buffer-overflow.patch + ) default if [[ ${PV} == 9999 ]]; then eautoreconf |