net-vpn/openconnect: fix buffer overflow in get_cert_name

Closes: https://bugs.gentoo.org/721570
Signed-off-by: Mike Gilbert <floppym@gentoo.org>

diff --git a/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch
new file mode 100644 (file)
index 0000000..bf8990a
--- /dev/null
+++ b/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow.patch
@@ -0,0 +1,62 @@
+From eef4c1f9d24478aa1d2dd9ac7ec32efb2137f474 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Fri, 8 May 2020 10:39:41 -0400
+Subject: [PATCH] gnutls: prevent buffer overflow in get_cert_name
+
+The test suite for ocserv calls openconnect with a certificate that has
+a name that is 84 bytes in length. The buffer passed to get_cert_name is
+currently 80 bytes.
+
+The gnutls_x509_crt_get_dn_by_oid function will update the buffer size
+parameter if the buffer is too small.
+
+http://man7.org/linux/man-pages/man3/gnutls_x509_crt_get_dn_by_oid.3.html
+
+RETURNS
+       GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long
+       enough, and in that case the  buf_size will be updated with the
+       required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no
+       data in the current index. On success 0 is returned.
+
+Use a temporary variable to avoid clobbering the namelen variable that is
+passed to get_cert_name.
+
+Bug: https://bugs.gentoo.org/721570
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Mike Gilbert <floppym@gentoo.org>
+---
+ gnutls.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/gnutls.c b/gnutls.c
+index 36bc82e0..53bf2a43 100644
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -546,12 +546,19 @@ static int count_x509_certificates(gnutls_datum_t *datum)
+ 
+ static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen)
+ {
++      /* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will
++       * update the length argument to the required size, and return
++       * GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original
++       * length variable. */
++      size_t nl = namelen;
+       if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
+-                                        0, 0, name, &namelen) &&
+-          gnutls_x509_crt_get_dn(cert, name, &namelen)) {
+-              name[namelen-1] = 0;
+-              snprintf(name, namelen-1, "<unknown>");
+-              return -EINVAL;
++                                        0, 0, name, &nl)) {
++              nl = namelen;
++              if (gnutls_x509_crt_get_dn(cert, name, &nl)) {
++                      name[namelen-1] = 0;
++                      snprintf(name, namelen-1, "<unknown>");
++                      return -EINVAL;
++              }
+       }
+       return 0;
+ }
+-- 
+2.26.2
+

diff --git a/net-vpn/openconnect/openconnect-8.09.ebuild b/net-vpn/openconnect/openconnect-8.09-r1.ebuild
similarity index 97%
rename from net-vpn/openconnect/openconnect-8.09.ebuild
rename to net-vpn/openconnect/openconnect-8.09-r1.ebuild
index 5e1e96852d187e4d1c592a9b494541e4a3962783..a55ca7731ca912b4c54f285c2a658d40c3280318 100644 (file)
--- a/net-vpn/openconnect/openconnect-8.09.ebuild
+++ b/net-vpn/openconnect/openconnect-8.09-r1.ebuild
@@ -78,6 +78,9 @@ src_unpack() {
 }
 
 src_prepare() {
+       local PATCHES=(
+               "${FILESDIR}"/8.09-gnutls-buffer-overflow.patch
+       )
        default
        if [[ ${PV} == 9999 ]]; then
                eautoreconf