File openconnect-CVE-2020-12105.patch of Package openconnect.15517

From f07242df8ad6a0fb1a5b5a584ca086f1a429ee0b Mon Sep 17 00:00:00 2001
From: Jordy Zomer <jordy@simplyhacker.com>
Date: Thu, 23 Apr 2020 13:28:12 +0200
Subject: [PATCH] Use OpenSSL X509_check_host() and X509_check_ip() correctly.

These functions return 1 for a successful match, 0 for a failed match,
-1 for an internal error, or -2 if the certificate is malformed.

OpenConnect has been treating any value other than zero as a success,
meaning that an attacker who could get a trusted CA to issue an invalid
certificate (on which the ASN.1 decoder fails, for example), could use
that to assume *any* identity.

This is CVE-2020-12105.

https://gitlab.com/openconnect/openconnect/-/merge_requests/96

Signed-off-by: Jordy Zomer <jordy@simplyhacker.com>
---
 openssl.c         | 4 ++--
 www/changelog.xml | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

Index: openconnect-7.08/openssl.c
===================================================================
--- openconnect-7.08.orig/openssl.c
+++ openconnect-7.08/openssl.c
@@ -1394,7 +1394,7 @@ static int match_cert_hostname(struct op
 {
 	char *matched = NULL;
 
-	if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0)) {
+	if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0) == 1) {
 		if (vpninfo->verbose >= PRG_DEBUG) {
 			char host[80];
 			int family;
@@ -1413,7 +1413,7 @@ static int match_cert_hostname(struct op
 		}
 		return 0;
 	}
-	if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched)) {
+	if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched) == 1) {
 		vpn_progress(vpninfo, PRG_DEBUG,
 			     _("Matched peer certificate subject name '%s'\n"),
 			     matched);
openSUSE Build Service is sponsored by