Bug#781240: libopenconnect3: Double free when PKCS#11 token does not include CA certs

2015-03-26 Thread Laurent Bigonville 
Package: libopenconnect3
Version: 6.00-1+b1
Severity: important
Tags: patch

Hello,

When using openconnect when my belpic card, openconnect is crashing with
a double free error.

Got no issuer from PKCS#11
*** Error in `/usr/sbin/openconnect': double free or corruption (!prev): 
0x55cc5650 ***

The attached patch (coming from upstream) fix this issue

Cheers,

Laurent Bigonville

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libopenconnect3 depends on:
ii  libc6  2.19-17
ii  libgnutls-deb0-28  3.3.8-6
ii  liboath0   2.4.1-1
ii  libp11-kit00.20.7-1
ii  libproxy1  0.4.11-4+b2
ii  libstoken1 0.6-1
ii  libxml22.9.2+dfsg1-3
ii  multiarch-support  2.19-17
ii  zlib1g 1:1.2.8.dfsg-2+b1

Versions of packages libopenconnect3 recommends:
ii  ca-certificates  20141019

libopenconnect3 suggests no packages.

-- no debconf information
diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch openconnect-6.00/debian/patches/01_fix-double-free.patch
--- openconnect-6.00/debian/patches/01_fix-double-free.patch	1970-01-01 01:00:00.0 +0100
+++ openconnect-6.00/debian/patches/01_fix-double-free.patch	2015-03-26 12:21:02.0 +0100
@@ -0,0 +1,40 @@
+From: Paul Donohue g...@paulsd.com
+Date: Fri, 24 Oct 2014 14:58:02 + (-0400)
+Subject: Fix invalid/double free if PKCS#11 token does not include CA certs
+X-Git-Tag: v7.00~86
+X-Git-Url: http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff_plain/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd
+
+Fix invalid/double free if PKCS#11 token does not include CA certs
+
+Commit b06b862f5 (Include supporting certificates from PKCS#11 tokens)
+calls gnutls_free() on an invalid 't.data' value if
+gnutls_pkcs11_get_raw_issuer() returns an error, and calls
+gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import()
+returns an error.
+
+If the Issuer cert is not available on the PKCS#11 token,
+then gnutls_pkcs11_get_raw_issuer() fails and the call to
+gnutls_free(t.data) causes libc to print the following message then
+kill the process:
+--- a/gnutls.c
 b/gnutls.c
+@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc
+ 		err = gnutls_x509_crt_import(issuer, t, GNUTLS_X509_FMT_DER);
+ 		if (err)
+ 			gnutls_x509_crt_deinit(issuer);
++		else
++			free_issuer = 1;
+ 	}
++	gnutls_free(t.data);
+ }
+ if (err) {
+ 	vpn_progress(vpninfo, PRG_ERR,
+@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc
+ 	vpn_progress(vpninfo, PRG_ERR,
+ 		 _(Got next CA '%s' from PKCS11\n), name);
+ }
+-free_issuer = 1;
+-gnutls_free(t.data);
+ 			}
+ #endif
+ 			if (err)
diff -Nru openconnect-6.00/debian/patches/series openconnect-6.00/debian/patches/series
--- openconnect-6.00/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ openconnect-6.00/debian/patches/series	2015-03-26 12:19:53.0 +0100
@@ -0,0 +1 @@
+01_fix-double-free.patch

Bug#781240: libopenconnect3: Double free when PKCS#11 token does not include CA certs

2015-03-26 Thread Mike Miller 
On Thu, Mar 26, 2015 at 12:27:45 +0100, Laurent Bigonville wrote:
 Hello,
 
 When using openconnect when my belpic card, openconnect is crashing with
 a double free error.
 
 Got no issuer from PKCS#11
 *** Error in `/usr/sbin/openconnect': double free or corruption (!prev): 
 0x55cc5650 ***
 
 The attached patch (coming from upstream) fix this issue

Thanks for finding this problem and testing the patch.

I've submitted a request to the release team to allow this fix into
jessie, see #781249.

-- 
mike


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org