Bug 17661

Summary: socat new security issues fixed upstream in 2.0.0-b9 (CVE-2016-2217)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/674840/
Whiteboard: has_procedure MGA5-64-OK advisory
Source RPM: socat-2.0.0-0.b8.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-02-01 17:00:34 CET 
Upstream has issued two advisories today (February 1):
http://openwall.com/lists/oss-security/2016/02/01/4
http://openwall.com/lists/oss-security/2016/02/01/5

CVEs weren't specifically requested, but they may be assigned later.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated socat package fixes security vulnerability:

In socat before 2.0.0-b9, in the OpenSSL address implementation, the hard coded
1024 bit DH p parameter was not prime. It may be possible for an eavesdropper
to recover the shared secret from a key exchange.

In socat before 2.0.0-b9, a stack overflow vulnerability was found that can be
triggered when command line arguments are longer than 512 bytes. This
vulnerability can only be exploited when an attacker is able to inject data
into socat's command line.

References:
http://openwall.com/lists/oss-security/2016/02/01/4
http://openwall.com/lists/oss-security/2016/02/01/5
========================

Updated packages in core/updates_testing:
========================
socat-2.0.0-0.b9.1.mga5

from socat-2.0.0-0.b9.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-02-01 17:00:48 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=5986#c4

Whiteboard: (none) => has_procedure

Comment 2 Len Lawrence 2016-02-01 22:42:53 CET 
mga5  x86_64  Mate

Tested the b8 version before the update.
No crash using the readline test from link in comment #1.  As Claire remarked we do not appear to be vulnerable at this version.
The remote login test worked fine from one local machine to another.

Updated to socat-2.0.0-0.b9.1.mga5

$ perl -e 'print "\r"."A"x 513' < /tmp/socat-data socat readline exec:'cat /tmp/socat-data'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

$ socat tcp-listen:1111,fork tcp-connect:vega:22
$ ssh lcl@localhost -p 1111
Warning: Permanently added '[localhost]:1111' (RSA) to the list of known hosts.
Password: 
Last login: Thu Jan 21 23:52:57 2016 from difda

CC: (none) => tarazed25

Len Lawrence 2016-02-01 22:46:37 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 David Walser 2016-02-04 13:19:21 CET 
(In reply to David Walser from comment #0)
> Upstream has issued two advisories today (February 1):
> http://openwall.com/lists/oss-security/2016/02/01/4

CVE-2016-2217:
http://openwall.com/lists/oss-security/2016/02/04/1

> http://openwall.com/lists/oss-security/2016/02/01/5

Not likely to receive a CVE:
http://openwall.com/lists/oss-security/2016/02/02/7
Comment 4 David Walser 2016-02-04 13:20:03 CET 
Advisory:
========================

Updated socat package fixes security vulnerability:

In socat before 2.0.0-b9, in the OpenSSL address implementation, the hard coded
1024 bit DH p parameter was not prime. It may be possible for an eavesdropper
to recover the shared secret from a key exchange (CVE-2016-2217).

In socat before 2.0.0-b9, a stack overflow vulnerability was found that can be
triggered when command line arguments are longer than 512 bytes. This
vulnerability can only be exploited when an attacker is able to inject data
into socat's command line.

References:
http://openwall.com/lists/oss-security/2016/02/01/4
http://openwall.com/lists/oss-security/2016/02/04/1
http://openwall.com/lists/oss-security/2016/02/01/5

Summary: socat new security issues fixed upstream in 2.0.0-b9 => socat new security issues fixed upstream in 2.0.0-b9 (CVE-2016-2217)

Dave Hodgins 2016-02-05 04:15:18 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2016-02-05 18:28:09 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0053.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-02-09 18:25:03 CET

URL: (none) => http://lwn.net/Vulnerabilities/674840/