457068 – (CVE-2012-6128) <net-misc/openconnect-4.08: Stack-based buffer overflow when processing certain host names, paths, or cookie lists (CVE-2012-6128)

Bug 457068 (CVE-2012-6128) - <net-misc/openconnect-4.08: Stack-based buffer overflow when processing certain host names, paths, or cookie lists (CVE-2012-6128)

Summary: <net-misc/openconnect-4.08: Stack-based buffer overflow when processing certa...

Status:	RESOLVED FIXED

Alias:	CVE-2012-6128

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B2 [glsa]
Keywords:

Depends on:	460098
Blocks:
	Show dependency tree

Reported:	2013-02-13 10:49 UTC by Agostino Sarubbo
Modified:	2014-05-18 12:01 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-02-13 10:49:05 UTC

From ${URL} :

A stack-based buffer overflow flaw was found in the way OpenConnect, a client for Cisco's 
"AnyConnect" VPN, performed processing of certain host names, paths, or cookie lists, received from 
the VPN gateway. A remote VPN gateway could provide a specially-crafted host name, path or cookie 
list that, when processed by the openconnect client would lead to openconnect executable crash.

Relevant upstream patch:
[1] 
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/26f752c3dbf69227679fc6bebb4ae071aecec491

References:
[2] http://www.openwall.com/lists/oss-security/2013/02/11/9
[3] http://www.infradead.org/openconnect/changelog.html

Comment 1 Matthew Schultz 2013-02-13 15:04:15 UTC

Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the bug.

Comment 2 Markos Chandras (RETIRED) gentoo-dev

2013-02-24 11:30:53 UTC

(In reply to comment #1)
> Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the
> bug.

Can we get an ebuild for that?

Comment 3 Matthew Schultz 2013-02-25 13:22:56 UTC

(In reply to comment #2)
> (In reply to comment #1)
> > Version bumping from openconnect-4.07-r3 to openconnect-4.99 will fix the
> > bug.
> 
> Can we get an ebuild for that?

cp openconnect-4.07-r3.ebuild openconnect-4.99.ebuild.  No changes are necessary.

Comment 4 Agostino Sarubbo gentoo-dev

2013-02-25 13:29:08 UTC

(In reply to comment #3)
> cp openconnect-4.07-r3.ebuild openconnect-4.99.ebuild.  No changes are
> necessary.

Done.

Arches, please test and mark stable:                                                                                                                                                
=net-misc/openconnect-4.99                                                                                                                                                      
Target keywords : "amd64 x86"

Comment 5 Agostino Sarubbo gentoo-dev

2013-02-26 10:55:34 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2013-02-26 10:59:51 UTC

x86 stable

Comment 7 Markos Chandras (RETIRED) gentoo-dev

2013-03-04 19:28:08 UTC

There is a bit of misunderstanding here I believe. 4.99 is a beta release and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I believe the stabilization target should be 4.08 and not the 4.99. They did the same on the redhat bugzilla.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2013-03-04 23:07:29 UTC

CVE-2012-6128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6128):
  Multiple stack-based buffer overflows in http.c in OpenConnect before 4.08
  allow remote VPN gateways to cause a denial of service (application crash)
  via a long (1) hostname, (2) path, or (3) cookie list in a response.

Comment 9 Pacho Ramos gentoo-dev

2013-03-08 19:38:04 UTC

(In reply to comment #7)
> There is a bit of misunderstanding here I believe. 4.99 is a beta release
> and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I
> believe the stabilization target should be 4.08 and not the 4.99. They did
> the same on the redhat bugzilla.

OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please tell what is the way to go) 4.99)

Comment 10 Pacho Ramos gentoo-dev

2013-03-25 10:34:14 UTC

(In reply to comment #9)
> (In reply to comment #7)
> > There is a bit of misunderstanding here I believe. 4.99 is a beta release
> > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I
> > believe the stabilization target should be 4.08 and not the 4.99. They did
> > the same on the redhat bugzilla.
> 
> OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please
> tell what is the way to go) 4.99)

ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99 entirely

Comment 11 Matthew Schultz 2013-03-25 12:36:48 UTC

(In reply to comment #10)
> (In reply to comment #9)
> > (In reply to comment #7)
> > > There is a bit of misunderstanding here I believe. 4.99 is a beta release
> > > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I
> > > believe the stabilization target should be 4.08 and not the 4.99. They did
> > > the same on the redhat bugzilla.
> > 
> > OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please
> > tell what is the way to go) 4.99)
> 
> ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99
> entirely

ok by me

Comment 12 Sean Amoss (RETIRED) gentoo-dev

2013-03-26 00:34:05 UTC

(In reply to comment #11)
> (In reply to comment #10)
> > (In reply to comment #9)
> > > (In reply to comment #7)
> > > > There is a bit of misunderstanding here I believe. 4.99 is a beta release
> > > > and 4.08 looks like it is newer compared to 4.99. Look at bug #460098. I
> > > > believe the stabilization target should be 4.08 and not the 4.99. They did
> > > > the same on the redhat bugzilla.
> > > 
> > > OK to proceed? (ask for 4.08 stabilization and hardmask or remove (please
> > > tell what is the way to go) 4.99)
> > 
> > ping! I think we should readd arches to stabilize 4.08 and, then, drop 4.99
> > entirely
> 
> ok by me

Good by us. Lets go!

Arches, please test and mark stable:                                                                                                                                                
=net-misc/openconnect-4.08                                                                                                                                                   
Target KEYWORDS: "amd64 x86"

Comment 13 Agostino Sarubbo gentoo-dev

2013-03-26 12:02:54 UTC

x86 stable

Comment 14 Agostino Sarubbo gentoo-dev

2013-03-26 12:03:05 UTC

amd64 stable

Comment 15 Agostino Sarubbo gentoo-dev

2013-03-26 12:03:59 UTC

removal done

Comment 16 Sean Amoss (RETIRED) gentoo-dev

2013-04-08 22:06:52 UTC

New GLSA drafted.

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2014-05-18 12:01:29 UTC

This issue was resolved and addressed in
 GLSA 201405-18 at http://security.gentoo.org/glsa/glsa-201405-18.xml
by GLSA coordinator Sean Amoss (ackle).