Bug 12469 - socat new security issue CVE-2014-0019
Summary: socat new security issue CVE-2014-0019
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/585745/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Reported: 2014-01-29 00:11 CET by David Walser
Modified: 2014-02-16 14:44 CET (History)
4 users (show)

See Also:
Source RPM: socat-2.0.0-0.b6.2.mga4.src.rpm
Status comment:


Description David Walser 2014-01-29 00:11:06 CET
Upstream has announced version 2.0.0-b7, fixing a security issue:

Mageia 3 and Mageia 4 will both need to be updated.

The URL above gives details on how to reproduce the issue, but notes that it cannot always be reliably reproduced.

The default compiler flags used in Mageia may reduce the impact of this flaw.

I've updated it in Cauldron and Mageia 3 SVN, and will update it in Mageia 4 SVN and build the updates after Mageia 4 is released.


Steps to Reproduce:
Comment 1 David Walser 2014-02-05 20:30:36 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.


Updated socat package fixes security vulnerability:

Due to a missing check in socat before 2.0.0-b7 during assembly of the HTTP
request line, a long target server name (<hostname> in the documentation) in
the PROXY-CONNECT address can cause a stack buffer overrun.  Exploitation
requires that the attacker is able to provide the target server name to the
PROXY-CONNECT address in the command line. This can happen, for example, in
scripts that receive data from untrusted sources (CVE-2014-0019).


Updated packages in core/updates_testing:

from SRPMS:
Comment 2 Samuel Verschelde 2014-02-10 20:02:16 CET
Testing procedure in https://bugs.mageia.org/show_bug.cgi?id=5986#c4 and next comments.
Comment 3 claire robinson 2014-02-12 17:24:48 CET
Testing complete mga3 64 with the procedure here
Comment 4 claire robinson 2014-02-12 17:28:35 CET
Testing complete mga3 32
Comment 5 David Walser 2014-02-12 19:46:24 CET
Fedora has issued an advisory for this on January 30:
Comment 6 Rémi Verschelde 2014-02-14 22:35:04 CET
Testing complete Mageia 4 i586.

I reproduce the security issue using the procedure linked in comment 0, thus I can confirm Mageia 4's package is vulnerable. The second command leads to a buffer overflow error.

After applying the update, the result is:
[akien@localhost ~]$ socat - PROXY-CONNECT:localhost:$(perl -e "print 'A' x 384"):1,proxyport=8080
2014/02/14 22:24:03 socat[6310.3073042176] E _xioopen_proxy_connect(): PROXY CONNECT buffer too small

I suppose this means the update correctly fixes the issue, since the new error is not a buffer overflow.

Tested for regression using the procedure linked in comment 2.
Comment 7 Rémi Verschelde 2014-02-14 22:52:37 CET
Testing complete Mageia 4 x86_64.


Validating update, advisory uploaded. Please push to 3 & 4 core/updates.
Comment 8 Thomas Backlund 2014-02-16 14:44:05 CET
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.