Date: Mon, 14 May 2012 16:50:25 +0200 From: Gerhard Rieger <gerhard@...t-unreach.org> To: oss-security@...ts.openwall.com Subject: socat security advisory -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Socat security advisory 3 Overview A heap based buffer overflow vulnerability has been found with data that happens to be output on the READLINE address. Successful exploitation may allow an attacker to execute arbitrary code with the privileges of the socat process. Vulnerability Id: CVE-2012-0219 Details This vulnerability can be exploited when socat is invoked with the READLINE address (this is usually only used interactively) without option "prompt" and without option "noprompt" and an attacker succeeds to provide malicious data to the other (arbitrary) address that is then transferred by socat to the READLINE address for output. The problem was caused by a coding error in function xioscan_readline(). Testcase To check your socat program do the following: perl -e 'print "\r"."A"x 513' >/tmp/socat-data socat readline exec:'cat /tmp/socat-data' When socat crashes with a signal (e.g. SIGSEGV) and does not output any 'A' it is vulnerable. Workaround Use option "prompt" or option "noprompt" with the READLINE address. Affected versions 220.127.116.11 - 18.104.22.168 2.0.0-b1 - 2.0.0-b4 Not affected or corrected versions 22.214.171.124 - 126.96.36.199 188.8.131.52 and later 2.0.0-b5 and later Download The updated sources can be downloaded from: http://www.dest-unreach.org/socat/download/socat-184.108.40.206.tar.gz http://www.dest-unreach.org/socat/download/socat-2.0.0-b5.tar.gz Patch to 220.127.116.11: http://www.dest-unreach.org/socat/download/socat-18.104.22.168.patch.gz Patch to 2.0.0-b4: http://www.dest-unreach.org/socat/download/socat-2.0.0-b5.patch.gz History 2012/04/22 vulnerability report received 2012/04/22 fix to 22.214.171.124 generated 2012/04/27 fix to 2.0.0-b4 generated 2012/05/14 fixes published Credits Full credits to Johan Thillemann for finding and reporting this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPsRulAAoJEBszgb37UeYgi0wH/0xEApMf2oEk93GQWcG3abnl PadXWh0Z1MnsmBMEYQR+dwqy+SveCBuJvn7sztGTLLKmcd2IoXXqF5lpLUT5lfcf HLjYrwBuPgqOJg21lqXZ0p5jLOhitqtX66mr+KiOZ11lkcXZDorv/Mpsf+0g2oYY 7foPTLud41rmhKQAA2haLLwYWb7qTrh1GF49HVpumFv9Sq+qrHkGNiuK9MMv7kqq t+MoTTxWYhmaR7uOyhEpS+nISHWPlGhSmypnxWuOFWctgu3YuT0SE4mdRv2qJNyk akm3s+Sn4OWtc0GMYtKgXIFZWLAEyFVykKnWMRclzEamsFBe/gXHUOeyGJDbsU8= =L+w3 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ