File openconnect-CVE-2020-12105.patch of Package openconnect.14956
From f07242df8ad6a0fb1a5b5a584ca086f1a429ee0b Mon Sep 17 00:00:00 2001
From: Jordy Zomer <jordy@simplyhacker.com>
Date: Thu, 23 Apr 2020 13:28:12 +0200
Subject: [PATCH] Use OpenSSL X509_check_host() and X509_check_ip() correctly.
These functions return 1 for a successful match, 0 for a failed match,
-1 for an internal error, or -2 if the certificate is malformed.
OpenConnect has been treating any value other than zero as a success,
meaning that an attacker who could get a trusted CA to issue an invalid
certificate (on which the ASN.1 decoder fails, for example), could use
that to assume *any* identity.
This is CVE-2020-12105.
https://gitlab.com/openconnect/openconnect/-/merge_requests/96
Signed-off-by: Jordy Zomer <jordy@simplyhacker.com>
---
openssl.c | 4 ++--
www/changelog.xml | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
Index: openconnect-7.08/openssl.c
===================================================================
--- openconnect-7.08.orig/openssl.c
+++ openconnect-7.08/openssl.c
@@ -1394,7 +1394,7 @@ static int match_cert_hostname(struct op
{
char *matched = NULL;
- if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0)) {
+ if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0) == 1) {
if (vpninfo->verbose >= PRG_DEBUG) {
char host[80];
int family;
@@ -1413,7 +1413,7 @@ static int match_cert_hostname(struct op
}
return 0;
}
- if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched)) {
+ if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched) == 1) {
vpn_progress(vpninfo, PRG_DEBUG,
_("Matched peer certificate subject name '%s'\n"),
matched);