Bug 12469 - socat new security issue CVE-2014-0019
Summary: socat new security issue CVE-2014-0019
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/585745/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Reported: 2014-01-29 00:11 CET by David Walser
Modified: 2014-02-16 14:44 CET (History)
4 users (show)

See Also:
Source RPM: socat-2.0.0-0.b6.2.mga4.src.rpm
Status comment:


Description David Walser 2014-01-29 00:11:06 CET
Upstream has announced version 2.0.0-b7, fixing a security issue:

Mageia 3 and Mageia 4 will both need to be updated.

The URL above gives details on how to reproduce the issue, but notes that it cannot always be reliably reproduced.

The default compiler flags used in Mageia may reduce the impact of this flaw.

I've updated it in Cauldron and Mageia 3 SVN, and will update it in Mageia 4 SVN and build the updates after Mageia 4 is released.


Steps to Reproduce:
David Walser 2014-01-29 00:11:17 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-02-05 20:30:36 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.


Updated socat package fixes security vulnerability:

Due to a missing check in socat before 2.0.0-b7 during assembly of the HTTP
request line, a long target server name (<hostname> in the documentation) in
the PROXY-CONNECT address can cause a stack buffer overrun.  Exploitation
requires that the attacker is able to provide the target server name to the
PROXY-CONNECT address in the command line. This can happen, for example, in
scripts that receive data from untrusted sources (CVE-2014-0019).


Updated packages in core/updates_testing:

from SRPMS:

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 Samuel Verschelde 2014-02-10 20:02:16 CET
Testing procedure in https://bugs.mageia.org/show_bug.cgi?id=5986#c4 and next comments.

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 claire robinson 2014-02-12 17:24:48 CET
Testing complete mga3 64 with the procedure here

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok

Comment 4 claire robinson 2014-02-12 17:28:35 CET
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 5 David Walser 2014-02-12 19:46:24 CET
Fedora has issued an advisory for this on January 30:

URL: (none) => http://lwn.net/Vulnerabilities/585745/

Comment 6 Rémi Verschelde 2014-02-14 22:35:04 CET
Testing complete Mageia 4 i586.

I reproduce the security issue using the procedure linked in comment 0, thus I can confirm Mageia 4's package is vulnerable. The second command leads to a buffer overflow error.

After applying the update, the result is:
[akien@localhost ~]$ socat - PROXY-CONNECT:localhost:$(perl -e "print 'A' x 384"):1,proxyport=8080
2014/02/14 22:24:03 socat[6310.3073042176] E _xioopen_proxy_connect(): PROXY CONNECT buffer too small

I suppose this means the update correctly fixes the issue, since the new error is not a buffer overflow.

Tested for regression using the procedure linked in comment 2.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok

Comment 7 Rémi Verschelde 2014-02-14 22:52:37 CET
Testing complete Mageia 4 x86_64.


Validating update, advisory uploaded. Please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-02-16 14:44:05 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.