Re: CVE request: openconnect buffer overflow

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/11/2013 12:52 PM, Florian Weimer wrote:
> Kevin Cernekee discovered that a malicious VPN gateway can send a
> very long hostname/path (for redirects) or cookie list (in
> general), which OpenConnect will attempt to write on a fixed length
> buffer.
>
> Upstream commit:
>
> <http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/26f752c3dbf69227679fc6bebb4ae071aecec491>
>
>  This needs a CVE name from 2012.

Please use CVE-2012-6128 for this issue.

It should be noted that this can be executed by a man in the middle
attacker (which is exactly why you're using a VPN Usually =).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRGrQQAAoJEBYNRVNeJnmTPGwQAINZYQzKx4N77zOpEqm7iHWI
kJV82S4bRs44X8aavpZjndxlaPG21W2pxciS52cVMd6He5nL3dEi6ftXayIeSYWy
deQ15soD0+/oGPOq76u0Mql4D+tCrS+/U75X0jwY9RsdcOso47Bm+zQnVgYuvxBh
AdnyB3MFxk1VGilt+jdKoys3P1Vj9Wsgq0rJ9UN1+aVu7McVndc8Y19ZjTXMIYHi
6z9buUz88mVCzTTDcgq3m/4/ikOeOIgRjpBV1/xpdffj/Vixws0K8a9lHO6McJ+5
WYZtQ2V8NgEeq6D0zZtgqDpasee/sVQYAtDgmFerItVFdTqQcyc7CPtqN4TZUkcH
SCRabgE8XQ9sw7Umop7lyG2H+fhM6LmYwdWSq4hqeOGrehceYDv6/e0BWd0+pp2d
daNcV+beaFg5+b/ndbVF+KqFgcAUSAtz7zrP5uagoJdY+T1eYVl0fPb+wibgCfUE
vxkRTt1/Y2sKGm/L83fSW87suflYWF0qbntcpu8BZBLyI/V2F3rTn8LRK30Ca9dO
tWXJ9c8OyDRFwtHHdTzETVr6gsKvFTin5qzjgheWmKPLQm+k8uRiGvezWbEGQ9ct
8sjIFZqcWk3bPUnBTPjQfJGYvquG4OIW0liGfolaA6YPUG8kAc0pmX/c0/LzURIH
7wgL41jESIpDLC3zRouv
=5wZF
-----END PGP SIGNATURE-----