Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 457068 (CVE-2012-6128) - <net-misc/openconnect-4.08: Stack-based buffer overflow when processing certain host names, paths, or cookie lists (CVE-2012-6128)
Summary: <net-misc/openconnect-4.08: Stack-based buffer overflow when processing certa...
Status: RESOLVED FIXED
Alias: CVE-2012-6128
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on: 460098
Blocks:
  Show dependency tree
 
Reported: 2013-02-13 10:49 UTC by Agostino Sarubbo
Modified: 2014-05-18 12:01 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-13 10:49:05 UTC
From ${URL} :

A stack-based buffer overflow flaw was found in the way OpenConnect, a client for Cisco's 
"AnyConnect" VPN, performed processing of certain host names, paths, or cookie lists, received from 
the VPN gateway. A remote VPN gateway could provide a specially-crafted host name, path or cookie 
list that, when processed by the openconnect client would lead to openconnect executable crash.

Relevant upstream patch:
[1] 
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/26f752c3dbf69227679fc6bebb4ae071aecec491

References:
[2] http://www.openwall.com/lists/oss-security/2013/02/11/9
[3] http://www.infradead.org/openconnect/changelog.html
Comment 1 Matthew Schultz 2013-02-13 15:04:15 UTC
Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the bug.
Comment 2 Markos Chandras (RETIRED) gentoo-dev 2013-02-24 11:30:53 UTC
(In reply to comment #1)
> Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the
> bug.

Can we get an ebuild for that?
Comment 3 Matthew Schultz 2013-02-25 13:22:56 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the
> > bug.
> 
> Can we get an ebuild for that?

cp openconnect-4.07-r3.ebuild openconnect-4.99.ebuild.  No changes are necessary.
Comment 4 Agostino Sarubbo gentoo-dev 2013-02-25 13:29:08 UTC
(In reply to comment #3)
> cp openconnect-4.07-r3.ebuild openconnect-4.99.ebuild.  No changes are
> necessary.

Done.

Arches, please test and mark stable:                                                                                                                                                
=net-misc/openconnect-4.99                                                                                                                                                      
Target keywords : "amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-26 10:55:34 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-02-26 10:59:51 UTC
x86 stable
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2013-03-04 19:28:08 UTC
There is a bit of misunderstanding here I believe. 4.99 is a beta release and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I believe the stabilization target should be 4.08 and not the 4.99. They did the same on the redhat bugzilla.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:07:29 UTC
CVE-2012-6128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6128):
  Multiple stack-based buffer overflows in http.c in OpenConnect before 4.08
  allow remote VPN gateways to cause a denial of service (application crash)
  via a long (1) hostname, (2) path, or (3) cookie list in a response.
Comment 9 Pacho Ramos gentoo-dev 2013-03-08 19:38:04 UTC
(In reply to comment #7)
> There is a bit of misunderstanding here I believe. 4.99 is a beta release
> and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I
> believe the stabilization target should be 4.08 and not the 4.99. They did
> the same on the redhat bugzilla.

OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please tell what is the way to go) 4.99)
Comment 10 Pacho Ramos gentoo-dev 2013-03-25 10:34:14 UTC
(In reply to comment #9)
> (In reply to comment #7)
> > There is a bit of misunderstanding here I believe. 4.99 is a beta release
> > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I
> > believe the stabilization target should be 4.08 and not the 4.99. They did
> > the same on the redhat bugzilla.
> 
> OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please
> tell what is the way to go) 4.99)

ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99 entirely
Comment 11 Matthew Schultz 2013-03-25 12:36:48 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > (In reply to comment #7)
> > > There is a bit of misunderstanding here I believe. 4.99 is a beta release
> > > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I
> > > believe the stabilization target should be 4.08 and not the 4.99. They did
> > > the same on the redhat bugzilla.
> > 
> > OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please
> > tell what is the way to go) 4.99)
> 
> ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99
> entirely

ok by me
Comment 12 Sean Amoss gentoo-dev Security 2013-03-26 00:34:05 UTC
(In reply to comment #11)
> (In reply to comment #10)
> > (In reply to comment #9)
> > > (In reply to comment #7)
> > > > There is a bit of misunderstanding here I believe. 4.99 is a beta release
> > > > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I
> > > > believe the stabilization target should be 4.08 and not the 4.99. They did
> > > > the same on the redhat bugzilla.
> > > 
> > > OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please
> > > tell what is the way to go) 4.99)
> > 
> > ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99
> > entirely
> 
> ok by me

Good by us. Lets go!

Arches, please test and mark stable:                                                                                                                                                
=net-misc/openconnect-4.08                                                                                                                                                   
Target KEYWORDS: "amd64 x86"
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-26 12:02:54 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-26 12:03:05 UTC
amd64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-03-26 12:03:59 UTC
removal done
Comment 16 Sean Amoss gentoo-dev Security 2013-04-08 22:06:52 UTC
New GLSA drafted.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 12:01:29 UTC
This issue was resolved and addressed in
 GLSA 201405-18 at http://security.gentoo.org/glsa/glsa-201405-18.xml
by GLSA coordinator Sean Amoss (ackle).