Unable to switch realm on authentication dialog

Bug #1764047 reported by Chris Routh on 2018-04-15
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
network-manager-openconnect
Fix Released
Unknown
network-manager-openconnect (Debian)
Fix Released
Unknown
openconnect (Ubuntu)
Low
Unassigned
Bionic
Low
Chris Routh
Cosmic
Low
Unassigned

Bug Description

* Impact
It's impossible to switch realm on the authentication dialog when connecting to a juniper vpn

* Test case
1. Create VPN connection to Juniper/Pulse which has several realms
2. On auth dialog try to select other realm from the list.
3. Auth dialog will flash after selection and revert to top list item.

Actual results:
Selection reverts to top list item.

Expected results:
Required realm for login is selected.

* Regression potential
The change is in the openconnect auth form processing, check that auth to different types of vpn still work

CVE References

Chris Routh (routhinator) wrote :

Seems this is a cross-distribution issue as it is also reported against Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1433997

Wanted to make sure it's reported here as it is also an issue for 17.10 - This likely needs to be filed on the upstream repository, however I cannot find their dev repo.

tags: added: openconnect
tags: added: gnome network-manager
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openconnect (Ubuntu):
status: New → Confirmed
Yuriy Pitomets (netsu) wrote :

Confirm: the same on Ubuntu 18.04.

Yuriy Pitomets (netsu) wrote :

Any information about upstream?

Changed in network-manager-openconnect:
importance: Unknown → Medium
status: Unknown → Confirmed
aldo (coffee4kepi) wrote :

I have the same issue too, on Ubuntu 18.04. In the syslog I could find these messages, appearing in coincidence to the opening of the prompt window:

gnome-shell[1380]: JS ERROR: TypeError: item is undefined#012setActiveConnections/<@resource:///org/gnome/shell/ui/status/network.js:1518:17#012setActiveConnections@resourc e:///org/gnome/shell/ui/status/network.js:1515:9#012wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22#012_syncVpnConnections@resource:///org/gnome/shell/ui/status/network.js:1853:9#012wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22

Sebastien Bacher (seb128) wrote :
Changed in network-manager-openconnect (Ubuntu):
importance: Undecided → Low
status: Confirmed → Triaged
no longer affects: network-manager-openconnect

It turns out it works as expected with openconnect-8, I just built it from source after a friend mentioned it works fine for him on another distro.

Can someone update openconnect to version 8 in universe, at least for bionic and cosmic?

Changed in network-manager-openconnect:
status: Unknown → New
Mike Miller (mtmiller) wrote :

Uploading openconnect 8 to bionic is way too large of a change to make for a SRU.

However, after looking at this again, I think it may have been fixed in openconnect with this commit:

https://gitlab.com/openconnect/openconnect/commit/669c7d3e7a45

Can you test applying that as a patch to the openconnect source package in bionic? If that fixes it for you, then that could be proposed as an SRU to bionic, and cosmic if anyone is so motivated.

tags: added: bionic cosmic
Changed in network-manager-openconnect (Debian):
status: Unknown → Fix Released

For now Ubuntu 18.04 packages of openconnect-8.02 are available in my PPA: https://launchpad.net/~cristi/+archive/ubuntu/openconnect

I also tried to create packages for 18.10 but those fail to compile and I didn't have time to look into it yet, any help would be more than welcome.

@Mike unfortunately I don't have more to spend on this, but if you could make some packages and put them in a PPA maybe someone out there could give it a try.

Mike Miller (mtmiller) wrote :

Neither do I, I was only responding to your question about whether bionic would be updated to openconnect 8.

description: updated
affects: network-manager-openconnect (Ubuntu) → openconnect (Ubuntu)
Changed in openconnect (Ubuntu):
status: Triaged → Fix Released
description: updated
Dan Lenski (lenski) wrote :

I fixed this issue in 669c7d3e7a45aabc3035f8f538bbd36e23dbd3d8 (https://gitlab.com/openconnect/openconnect/commit/669c7d3e7a45aabc3035f8f538bbd36e23dbd3d8) and a related one for GlobalProtect VPNs in 7224312999fb5601d4c7e76ea9afe7eb6b2ca761 (https://gitlab.com/openconnect/openconnect/commit/7224312999fb5601d4c7e76ea9afe7eb6b2ca761).

It's in OpenConnect v8.0 and subsequent point releases.

Changed in network-manager-openconnect:
status: New → Fix Released

Hello Chris, or anyone else affected,

Accepted openconnect into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openconnect/7.08-3ubuntu0.18.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openconnect (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Changed in openconnect (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Chris, or anyone else affected,

Accepted openconnect into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openconnect/7.08-3ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

There are other important fixes in 8.0x including for CVE-2018-20319
and the CSD handling to make it resilient to round-robin DNS changes.

A simple update to 8.02 might be the better option.

Sebastien Bacher (seb128) wrote :

The package testsuite fails in cosmic (already with the archive version) which is failing the build, I'm too busy at the moment to work on that so I failed the cosmic SRU/removed it and I'm marking wontfix for that serie

Changed in openconnect (Ubuntu Cosmic):
status: Fix Committed → Won't Fix
tags: added: verification-failed-cosmic
removed: verification-needed-cosmic
Chris Routh (routhinator) wrote :

Fix confirmed here! Thank you

Chris Routh (routhinator) wrote :

7.08-3ubuntu0.18.04.1 has fixed the problem and realms can be switched.

Changed in openconnect (Ubuntu Bionic):
assignee: nobody → Chris Routh (routhinator)
tags: added: verification-done-bionic
removed: verification-needed-bionic
affects: fedora → ubuntu-translations
Changed in ubuntu-translations:
importance: Unknown → Undecided
status: Unknown → New
no longer affects: ubuntu-translations
Changed in openconnect (Ubuntu Bionic):
importance: Undecided → Low
Changed in openconnect (Ubuntu Cosmic):
importance: Undecided → Low
tags: removed: verification-needed

The verification of the Stable Release Update for openconnect has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openconnect - 7.08-3ubuntu0.18.04.1

---------------
openconnect (7.08-3ubuntu0.18.04.1) bionic; urgency=medium

  * debian/patches/git-juniper-realm.patch:
    - Fix issue causing front-ends/GUIs to be insensitive to changes
      in the Juniper realm dropdown (lp: #1764047)

 -- Sebastien Bacher <email address hidden> Fri, 15 Mar 2019 00:23:01 +0100

Changed in openconnect (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.