Package: libopenconnect3
Version: 6.00-1+b1
Severity: important
Tags: patch
Hello,
When using openconnect when my belpic card, openconnect is crashing with
a double free error.
Got no issuer from PKCS#11
*** Error in `/usr/sbin/openconnect': double free or corruption (!prev):
0x55cc5650 ***
The attached patch (coming from upstream) fix this issue
Cheers,
Laurent Bigonville
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libopenconnect3 depends on:
ii libc6 2.19-17
ii libgnutls-deb0-28 3.3.8-6
ii liboath0 2.4.1-1
ii libp11-kit00.20.7-1
ii libproxy1 0.4.11-4+b2
ii libstoken1 0.6-1
ii libxml22.9.2+dfsg1-3
ii multiarch-support 2.19-17
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages libopenconnect3 recommends:
ii ca-certificates 20141019
libopenconnect3 suggests no packages.
-- no debconf information
diff -Nru openconnect-6.00/debian/patches/01_fix-double-free.patch openconnect-6.00/debian/patches/01_fix-double-free.patch
--- openconnect-6.00/debian/patches/01_fix-double-free.patch 1970-01-01 01:00:00.0 +0100
+++ openconnect-6.00/debian/patches/01_fix-double-free.patch 2015-03-26 12:21:02.0 +0100
@@ -0,0 +1,40 @@
+From: Paul Donohue
+Date: Fri, 24 Oct 2014 14:58:02 + (-0400)
+Subject: Fix invalid/double free if PKCS#11 token does not include CA certs
+X-Git-Tag: v7.00~86
+X-Git-Url: http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff_plain/3215c30539daf96d4ee9f358e2b6c67f8b01dfdd
+
+Fix invalid/double free if PKCS#11 token does not include CA certs
+
+Commit b06b862f5 ("Include supporting certificates from PKCS#11 tokens")
+calls gnutls_free() on an invalid 't.data' value if
+gnutls_pkcs11_get_raw_issuer() returns an error, and calls
+gnutls_x509_crt_deinit() twice on 'issuer' if gnutls_x509_crt_import()
+returns an error.
+
+If the Issuer cert is not available on the PKCS#11 token,
+then gnutls_pkcs11_get_raw_issuer() fails and the call to
+gnutls_free(t.data) causes libc to print the following message then
+kill the process:
+--- a/gnutls.c
b/gnutls.c
+@@ -1506,7 +1506,10 @@ static int load_certificate(struct openc
+ err = gnutls_x509_crt_import(issuer, &t, GNUTLS_X509_FMT_DER);
+ if (err)
+ gnutls_x509_crt_deinit(issuer);
++ else
++ free_issuer = 1;
+ }
++ gnutls_free(t.data);
+ }
+ if (err) {
+ vpn_progress(vpninfo, PRG_ERR,
+@@ -1517,8 +1520,6 @@ static int load_certificate(struct openc
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Got next CA '%s' from PKCS11\n"), name);
+ }
+-free_issuer = 1;
+-gnutls_free(t.data);
+ }
+ #endif
+ if (err)
diff -Nru openconnect-6.00/debian/patches/series openconnect-6.00/debian/patches/series
--- openconnect-6.00/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++ openconnect-6.00/debian/patches/series 2015-03-26 12:19:53.0 +0100
@@ -0,0 +1 @@
+01_fix-double-free.patch