Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4FB11BB1.2010605@dest-unreach.org>
Date: Mon, 14 May 2012 16:50:25 +0200
From: Gerhard Rieger <gerhard@...t-unreach.org>
To: oss-security@...ts.openwall.com
Subject: socat security advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Socat security advisory 3

Overview
  A heap based buffer overflow vulnerability has been found with data
  that happens to be output on the READLINE address. Successful
  exploitation may allow an attacker to execute arbitrary code with
  the privileges of the socat process.

Vulnerability Id: CVE-2012-0219

Details
  This vulnerability can be exploited when socat is invoked with the
  READLINE address (this is usually only used interactively) without
  option "prompt" and without option "noprompt" and an attacker
  succeeds to provide malicious data to the other (arbitrary) address
  that is then transferred by socat to the  READLINE address for
  output.
  The problem was caused by a coding error in function
  xioscan_readline().

Testcase
  To check your socat program do the following:

    perl -e 'print "\r"."A"x 513' >/tmp/socat-data
    socat readline exec:'cat /tmp/socat-data'

  When socat crashes with a signal (e.g. SIGSEGV) and does not output
  any 'A' it is vulnerable.

Workaround
  Use option "prompt" or option "noprompt" with the READLINE address.

Affected versions
  1.4.0.0 - 1.7.2.0
  2.0.0-b1 - 2.0.0-b4

Not affected or corrected versions
  1.0.0.0 - 1.3.2.2
  1.7.2.1 and later
  2.0.0-b5 and later

Download
  The updated sources can be downloaded from:
    http://www.dest-unreach.org/socat/download/socat-1.7.2.1.tar.gz
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b5.tar.gz
  Patch to 1.7.2.0:
    http://www.dest-unreach.org/socat/download/socat-1.7.2.1.patch.gz
  Patch to 2.0.0-b4:
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b5.patch.gz

History
  2012/04/22 vulnerability report received
  2012/04/22 fix to 1.7.2.0 generated
  2012/04/27 fix to 2.0.0-b4 generated
  2012/05/14 fixes published

Credits
  Full credits to Johan Thillemann for finding and reporting this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPsRulAAoJEBszgb37UeYgi0wH/0xEApMf2oEk93GQWcG3abnl
PadXWh0Z1MnsmBMEYQR+dwqy+SveCBuJvn7sztGTLLKmcd2IoXXqF5lpLUT5lfcf
HLjYrwBuPgqOJg21lqXZ0p5jLOhitqtX66mr+KiOZ11lkcXZDorv/Mpsf+0g2oYY
7foPTLud41rmhKQAA2haLLwYWb7qTrh1GF49HVpumFv9Sq+qrHkGNiuK9MMv7kqq
t+MoTTxWYhmaR7uOyhEpS+nISHWPlGhSmypnxWuOFWctgu3YuT0SE4mdRv2qJNyk
akm3s+Sn4OWtc0GMYtKgXIFZWLAEyFVykKnWMRclzEamsFBe/gXHUOeyGJDbsU8=
=L+w3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.