This was pointed out by Guillaume Rousse on the -dev list. See URL for info. Cauldron/Mageia 2 are also affected.
CC: (none) => guillomovitch
Assignee: bugsquad => boklm
Fedora has issued an update for Fedora 17 for this on May 24: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081619.html
This is fixed in Cauldron. Updates for Mageia 1 and Mageia 2 are still needed.
Version: 1 => 2Whiteboard: (none) => MGA1TOO
Patched package for Mageia 1 uploaded. Updated package for Mageia 2 uploaded. Advisory: ======================== Updated socat package fixes security vulnerability: Heap-based buffer overflow in the xioscan_readline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address (CVE-2012-0219). Also, on Mageia 1, invalid output and a possible process crash when socat prints info about an unnamed unix domain socket has been fixed. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0219 http://www.dest-unreach.org/socat/contrib/socat-secadv3.html http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081619.html http://lists.opensuse.org/opensuse-updates/2012-07/msg00001.html https://bugzilla.novell.com/show_bug.cgi?id=668319 ======================== Updated packages in core/updates_testing: ======================== socat-1.7.1.3-2.1.mga1 socat-1.7.2.1-1.mga2 from SRPMS: socat-1.7.1.3-2.1.mga1.src.rpm socat-1.7.2.1-1.mga2.src.rpm
CC: (none) => boklmAssignee: boklm => qa-bugs
One way to test socat is to use it as a network redirector. socat tcp-listen:1111,fork tcp-connect:REMOTE_HOST:22 Will make your machine listen on port 1111, and if you connect to that, it will redirect the connection to machine REMOTE_HOST (hostname or IP address) on port 22. If the remote machine was running sshd, you could do ssh user@localhost -p 1111 to connect to this redirector and it should connect you to ssh on the remote machine.
We don't appear vulnerable to this. There is a testcase on the dest-unreach.org link # perl -e 'print "\r"."A"x 513' </tmp/socat-data socat readline exec:'cat /tmp/socat-data' -bash: /tmp/socat-data: No such file or directory # touch /tmp/socat-data # perl -e 'print "\r"."A"x 513' </tmp/socat-data socat readline exec:'cat /tmp/socat-data' AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Same mga1 64 and mga2 64
Testing mga1 64 Thanks David for the test procedure In an mga1 VM I used $ socat tcp-listen:1111,fork tcp-connect:<This-IP>:22 Connecting to it from <This IP> connects back to <This IP> $ ssh -p 1111 <That IP> So it seems to work. Testing complete x86_64 mga1. I'll do the same the other way to test mga2 64.
Testing complete mga2 64
Hardware: i586 => AllWhiteboard: MGA1TOO => MGA1TOO mga1-64-OK mga2-64-OK
Testing complete Mageia 1 i586. I used socat tcp-listen:1111,fork tcp-connect:localhost:59386 Port 59386 has ... tcp 0 0 127.0.0.1:59386 0.0.0.0:* LISTEN 3233/sshd: dave It's setup by an autossh connection from a remote system. In ~/.ssh/config, I copied the config entry that I normally use to connect to port 59386, changed the name to test, and the port to 1111. Using "ssh test" I get ... $ ssh test Warning: Permanently added '[localhost]:1111' (RSA) to the list of known hosts. I'll run the same test on Mageia 2 i586 shortly.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO mga1-64-OK mga2-64-OK => MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK
Testing complete Mageia 2 i586. Could someone from the sysadmin team push the srpm socat-1.7.2.1-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm socat-1.7.1.3-2.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated socat package fixes security vulnerability: Heap-based buffer overflow in the xioscan_readline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address (CVE-2012-0219). Also, on Mageia 1, invalid output and a possible process crash when socat prints info about an unnamed unix domain socket has been fixed. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0219 http://www.dest-unreach.org/socat/contrib/socat-secadv3.html http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081619.html http://lists.opensuse.org/opensuse-updates/2012-07/msg00001.html https://bugzilla.novell.com/show_bug.cgi?id=668319 https://bugs.mageia.org/show_bug.cgi?id=5986
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK => MGA1TOO mga1-64-OK mga2-64-OK mga1-32-OK mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0138
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
CC: boklm => (none)