Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-6128 openconnect: Stack-based buffer overflow when processing certain host names, paths, or cookie lists|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Fixed In Version:||OpenConnect 4.99||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-12-08 11:19:01 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||910331, 910333|
Description Jan Lieskovsky 2013-02-12 06:03:04 EST
A stack-based buffer overflow flaw was found in the way OpenConnect, a client for Cisco's "AnyConnect" VPN, performed processing of certain host names, paths, or cookie lists, received from the VPN gateway. A remote VPN gateway could provide a specially-crafted host name, path or cookie list that, when processed by the openconnect client would lead to openconnect executable crash. Relevant upstream patch:  http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/26f752c3dbf69227679fc6bebb4ae071aecec491 References:  http://www.openwall.com/lists/oss-security/2013/02/11/9  http://www.infradead.org/openconnect/changelog.html
Comment 1 Jan Lieskovsky 2013-02-12 06:05:32 EST
This issue affects the versions of the openconnect package, as shipped with Fedora release of 17 and 18. Please schedule an update. -- This issue affects the versions of the openconnect package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-02-12 06:06:55 EST
Created openconnect tracking bugs for this issue Affects: fedora-all [bug 910331] Affects: epel-all [bug 910333]
Comment 3 Vincent Danen 2013-02-12 17:01:27 EST
This was assigned CVE-2012-6128: http://www.openwall.com/lists/oss-security/2013/02/12/7
Comment 4 Fedora Update System 2013-02-24 03:46:31 EST
openconnect-4.08-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-02-24 03:58:17 EST
openconnect-4.08-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-06-17 15:07:54 EDT
openconnect-4.08-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-17 15:08:31 EDT
openconnect-4.08-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.