Version in base suite: 8.02-1 Base version: openconnect_8.02-1 Target version: openconnect_8.02-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openconnect/openconnect_8.02-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openconnect/openconnect_8.02-1+deb10u1.dsc changelog | 9 patches/Close-HTTPS-connection-on-failure-returns-from-proce.patch | 110 ++++++++++ patches/Fix-buffer-overflow-with-chunked-HTTP-handling-CVE-2.patch | 61 +++++ patches/series | 2 4 files changed, 182 insertions(+) diff -Nru openconnect-8.02/debian/changelog openconnect-8.02/debian/changelog --- openconnect-8.02/debian/changelog 2019-01-26 07:11:38.000000000 +0000 +++ openconnect-8.02/debian/changelog 2020-01-18 23:05:50.000000000 +0000 @@ -1,3 +1,12 @@ +openconnect (8.02-1+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Close HTTPS connection on failure returns from process_http_response() + * Fix buffer overflow with chunked HTTP handling (CVE-2019-16239) + (Closes: #940871) + + -- Salvatore Bonaccorso Sun, 19 Jan 2020 00:05:50 +0100 + openconnect (8.02-1) unstable; urgency=medium [ Mike Miller ] diff -Nru openconnect-8.02/debian/patches/Close-HTTPS-connection-on-failure-returns-from-proce.patch openconnect-8.02/debian/patches/Close-HTTPS-connection-on-failure-returns-from-proce.patch --- openconnect-8.02/debian/patches/Close-HTTPS-connection-on-failure-returns-from-proce.patch 1970-01-01 00:00:00.000000000 +0000 +++ openconnect-8.02/debian/patches/Close-HTTPS-connection-on-failure-returns-from-proce.patch 2020-01-18 23:05:50.000000000 +0000 @@ -0,0 +1,110 @@ +From: David Woodhouse +Date: Tue, 10 Sep 2019 17:10:23 +0100 +Subject: Close HTTPS connection on failure returns from + process_http_response() +Origin: https://github.com/openconnect/openconnect/commit/51c1590fb93399d82a7c118f2f05cf5b6c27d3e4 + +If we've failed to process the response, don't leave the connection open. + +Signed-off-by: David Woodhouse +--- + http.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/http.c b/http.c +index bca744816a77..51f6e7c27d54 100644 +--- a/http.c ++++ b/http.c +@@ -435,6 +435,7 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + if (!equals) { + vpn_progress(vpninfo, PRG_ERR, + _("Invalid cookie offered: %s\n"), buf); ++ openconnect_close_https(vpninfo, 0); + return -EINVAL; + } + *(equals++) = 0; +@@ -456,8 +457,10 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + _("SSL certificate authentication failed\n")); + + ret = http_add_cookie(vpninfo, colon, equals, 1); +- if (ret) ++ if (ret) { ++ openconnect_close_https(vpninfo, 0); + return ret; ++ } + } else { + vpn_progress(vpninfo, PRG_DEBUG, "%s: %s\n", buf, colon); + } +@@ -477,8 +480,10 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + } + if (!strcasecmp(buf, "Location")) { + vpninfo->redirect_url = strdup(colon); +- if (!vpninfo->redirect_url) ++ if (!vpninfo->redirect_url) { ++ openconnect_close_https(vpninfo, 0); + return -ENOMEM; ++ } + } + if (!strcasecmp(buf, "Content-Length")) { + bodylen = atoi(colon); +@@ -521,8 +526,10 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + + /* If we were given Content-Length, it's nice and easy... */ + if (bodylen > 0) { +- if (buf_ensure_space(body, bodylen + 1)) ++ if (buf_ensure_space(body, bodylen + 1)) { ++ openconnect_close_https(vpninfo, 0); + return buf_error(body); ++ } + + while (body->pos < bodylen) { + i = vpninfo->ssl_read(vpninfo, body->data + body->pos, bodylen - body->pos); +@@ -542,6 +549,7 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + if (i < 0) { + vpn_progress(vpninfo, PRG_ERR, + _("Error fetching chunk header\n")); ++ openconnect_close_https(vpninfo, 0); + return i; + } + chunklen = strtol(buf, NULL, 16); +@@ -549,13 +557,16 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + lastchunk = 1; + goto skip; + } +- if (buf_ensure_space(body, chunklen + 1)) ++ if (buf_ensure_space(body, chunklen + 1)) { ++ openconnect_close_https(vpninfo, 0); + return buf_error(body); ++ } + while (chunklen) { + i = vpninfo->ssl_read(vpninfo, body->data + body->pos, chunklen); + if (i < 0) { + vpn_progress(vpninfo, PRG_ERR, + _("Error reading HTTP response body\n")); ++ openconnect_close_https(vpninfo, 0); + return -EINVAL; + } + chunklen -= i; +@@ -571,6 +582,7 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + _("Error in chunked decoding. Expected '', got: '%s'"), + buf); + } ++ openconnect_close_https(vpninfo, 0); + return -EINVAL; + } + +@@ -587,8 +599,10 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + + /* HTTP 1.0 response. Just eat all we can in 4KiB chunks */ + while (1) { +- if (buf_ensure_space(body, 4096 + 1)) ++ if (buf_ensure_space(body, 4096 + 1)) { ++ openconnect_close_https(vpninfo, 0); + return buf_error(body); ++ } + i = vpninfo->ssl_read(vpninfo, body->data + body->pos, 4096); + if (i < 0) { + /* Error */ +-- +2.25.0 + diff -Nru openconnect-8.02/debian/patches/Fix-buffer-overflow-with-chunked-HTTP-handling-CVE-2.patch openconnect-8.02/debian/patches/Fix-buffer-overflow-with-chunked-HTTP-handling-CVE-2.patch --- openconnect-8.02/debian/patches/Fix-buffer-overflow-with-chunked-HTTP-handling-CVE-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openconnect-8.02/debian/patches/Fix-buffer-overflow-with-chunked-HTTP-handling-CVE-2.patch 2020-01-18 23:05:50.000000000 +0000 @@ -0,0 +1,61 @@ +From: David Woodhouse +Date: Tue, 10 Sep 2019 17:30:12 +0100 +Subject: Fix buffer overflow with chunked HTTP handling (CVE-2019-16239) +Origin: https://github.com/openconnect/openconnect/commit/875f0a65ab73f4fb581ca870fd3a901bd278f8e8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-16239 +Bug-Debian: https://bugs.debian.org/940871 + +Over a decade ago, I was vocally sad about the fact that I needed to +implement HTTP client code for myself because none of the available +options at the time gave me sufficient control over the underlying +TLS connection. + +This is why. A malicious HTTP server (after we have accepted its +identity certificate) can provide bogus chunk lengths for chunked +HTTP encoding and cause a heap overflow. + +Reported by Lukas Kupczyk of the Advanced Research Team at CrowdStrike +Intelligence. + +Signed-off-by: David Woodhouse +--- + http.c | 15 ++++++++++++++- + www/changelog.xml | 1 + + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/http.c b/http.c +index 51f6e7c27d54..dc223580f462 100644 +--- a/http.c ++++ b/http.c +@@ -544,7 +544,8 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + } else if (bodylen == BODY_CHUNKED) { + /* ... else, chunked */ + while ((i = vpninfo->ssl_gets(vpninfo, buf, sizeof(buf)))) { +- int chunklen, lastchunk = 0; ++ int lastchunk = 0; ++ long chunklen; + + if (i < 0) { + vpn_progress(vpninfo, PRG_ERR, +@@ -557,6 +558,18 @@ int process_http_response(struct openconnect_info *vpninfo, int connect, + lastchunk = 1; + goto skip; + } ++ if (chunklen < 0) { ++ vpn_progress(vpninfo, PRG_ERR, ++ _("HTTP chunk length is negative (%ld)\n"), chunklen); ++ openconnect_close_https(vpninfo, 0); ++ return -EINVAL; ++ } ++ if (chunklen >= INT_MAX) { ++ vpn_progress(vpninfo, PRG_ERR, ++ _("HTTP chunk length is too large (%ld)\n"), chunklen); ++ openconnect_close_https(vpninfo, 0); ++ return -EINVAL; ++ } + if (buf_ensure_space(body, chunklen + 1)) { + openconnect_close_https(vpninfo, 0); + return buf_error(body); +-- +2.25.0 + diff -Nru openconnect-8.02/debian/patches/series openconnect-8.02/debian/patches/series --- openconnect-8.02/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ openconnect-8.02/debian/patches/series 2020-01-18 23:05:50.000000000 +0000 @@ -0,0 +1,2 @@ +Close-HTTPS-connection-on-failure-returns-from-proce.patch +Fix-buffer-overflow-with-chunked-HTTP-handling-CVE-2.patch