summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Gilbert <floppym@gentoo.org>2020-05-12 12:01:57 -0400
committerMike Gilbert <floppym@gentoo.org>2020-05-12 12:02:48 -0400
commit27513d77015771f8604d9a21f388e9846c8c650a (patch)
tree4a7e357e817f569f48a06e9af400293dc4b491ba
parentapp-misc/go-jira: remove old (diff)
downloadgentoo-27513d77015771f8604d9a21f388e9846c8c650a.tar.gz
gentoo-27513d77015771f8604d9a21f388e9846c8c650a.tar.bz2
gentoo-27513d77015771f8604d9a21f388e9846c8c650a.zip
net-vpn/openconnect: fix buffer overflow in get_cert_name
Closes: https://bugs.gentoo.org/721570 Signed-off-by: Mike Gilbert <floppym@gentoo.org>
-rw-r--r--net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch62
-rw-r--r--net-vpn/openconnect/openconnect-8.09-r1.ebuild (renamed from net-vpn/openconnect/openconnect-8.09.ebuild)3
2 files changed, 65 insertions, 0 deletions
diff --git a/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch
new file mode 100644
index 00000000000..bf8990ae3d3
--- /dev/null
+++ b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch
@@ -0,0 +1,62 @@
+From eef4c1f9d24478aa1d2dd9ac7ec32efb2137f474 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Fri, 8 May 2020 10:39:41 -0400
+Subject: [PATCH] gnutls: prevent buffer overflow in get_cert_name
+
+The test suite for ocserv calls openconnect with a certificate that has
+a name that is 84 bytes in length. The buffer passed to get_cert_name is
+currently 80 bytes.
+
+The gnutls_x509_crt_get_dn_by_oid function will update the buffer size
+parameter if the buffer is too small.
+
+http://man7.org/linux/man-pages/man3/gnutls_x509_crt_get_dn_by_oid.3.html
+
+RETURNS
+ GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long
+ enough, and in that case the buf_size will be updated with the
+ required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no
+ data in the current index. On success 0 is returned.
+
+Use a temporary variable to avoid clobbering the namelen variable that is
+passed to get_cert_name.
+
+Bug: https://bugs.gentoo.org/721570
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Mike Gilbert <floppym@gentoo.org>
+---
+ gnutls.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/gnutls.c b/gnutls.c
+index 36bc82e0..53bf2a43 100644
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -546,12 +546,19 @@ static int count_x509_certificates(gnutls_datum_t *datum)
+
+ static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen)
+ {
++ /* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will
++ * update the length argument to the required size, and return
++ * GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original
++ * length variable. */
++ size_t nl = namelen;
+ if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
+- 0, 0, name, &namelen) &&
+- gnutls_x509_crt_get_dn(cert, name, &namelen)) {
+- name[namelen-1] = 0;
+- snprintf(name, namelen-1, "<unknown>");
+- return -EINVAL;
++ 0, 0, name, &nl)) {
++ nl = namelen;
++ if (gnutls_x509_crt_get_dn(cert, name, &nl)) {
++ name[namelen-1] = 0;
++ snprintf(name, namelen-1, "<unknown>");
++ return -EINVAL;
++ }
+ }
+ return 0;
+ }
+--
+2.26.2
+
diff --git a/net-vpn/openconnect/openconnect-8.09.ebuild b/net-vpn/openconnect/openconnect-8.09-r1.ebuild
index 5e1e96852d1..a55ca7731ca 100644
--- a/net-vpn/openconnect/openconnect-8.09.ebuild
+++ b/net-vpn/openconnect/openconnect-8.09-r1.ebuild
@@ -78,6 +78,9 @@ src_unpack() {
}
src_prepare() {
+ local PATCHES=(
+ "${FILESDIR}"/8.09-gnutls-buffer-overflow.patch
+ )
default
if [[ ${PV} == 9999 ]]; then
eautoreconf