Bug 15131

Summary: socat new security issue CVE-2015-1379
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/640415/
Whiteboard: has_procedure advisory MGA4-32-OK
Source RPM: socat-2.0.0-0.b7.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-26 14:56:39 CET 
Upstream has announced a security issue on January 24:
http://openwall.com/lists/oss-security/2015/01/24/6

The issue will be fixed in 2.0.0-b8, which has not been released yet.  A CVE identifier has also not been made available yet.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-26 14:56:55 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-01-27 20:25:29 CET 
CVE-2015-1379 has been issued:
http://openwall.com/lists/oss-security/2015/01/27/19

Summary: socat new security issue (possible DoS) => socat new security issue CVE-2015-1379

Comment 2 David Walser 2015-04-06 23:43:13 CEST 
Upstream has finally issued an update for 2.0.0-b8:
http://openwall.com/lists/oss-security/2015/04/06/4

Update committed in SVN for Mageia 4 and Cauldron.  Freeze push requested.
Comment 3 David Walser 2015-04-09 17:13:07 CEST 
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated socat package fixes security vulnerability:

In socat before 2.0.0-b8, signal handler implementations are not
async-signal-safe and can cause crash or freeze of socat processes. Mostly
this issue occurs when socat is in listening mode with fork option and a
couple of child processes terminate at the same time (CVE-2015-1379).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1379
http://openwall.com/lists/oss-security/2015/04/06/4
========================

Updated packages in core/updates_testing:
========================
socat-2.0.0-0.b8.1.mga4

from socat-2.0.0-0.b8.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 4 David Walser 2015-04-09 21:23:13 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=5986#c4

Works fine for me on Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 5 claire robinson 2015-04-10 15:24:37 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-04-15 11:02:13 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0144.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-04-15 18:48:33 CEST

URL: (none) => http://lwn.net/Vulnerabilities/640415/