Bug 5986 - socat new security issue CVE-2012-0219
: socat new security issue CVE-2012-0219
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://www.dest-unreach.org/socat/con...
: MGA1TOO mga1-64-OK mga2-64-OK mga1-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-05-20 01:32 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
4 users (show)

See Also:
Source RPM: socat-1.7.1.3-2.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-05-20 01:32:31 CEST
This was pointed out by Guillaume Rousse on the -dev list.  See URL for info.

Cauldron/Mageia 2 are also affected.
Comment 1 David Walser 2012-06-01 21:45:10 CEST
Fedora has issued an update for Fedora 17 for this on May 24:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081619.html
Comment 2 David Walser 2012-06-14 20:48:56 CEST
This is fixed in Cauldron.  Updates for Mageia 1 and Mageia 2 are still needed.
Comment 3 David Walser 2012-07-02 22:24:54 CEST
Patched package for Mageia 1 uploaded.  Updated package for Mageia 2 uploaded.

Advisory:
========================

Updated socat package fixes security vulnerability:

Heap-based buffer overflow in the xioscan_readline function in
xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through
2.0.0-b4 allows local users to execute arbitrary code via the READLINE
address (CVE-2012-0219).

Also, on Mageia 1, invalid output and a possible process crash when socat
prints info about an unnamed unix domain socket has been fixed.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0219
http://www.dest-unreach.org/socat/contrib/socat-secadv3.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081619.html
http://lists.opensuse.org/opensuse-updates/2012-07/msg00001.html
https://bugzilla.novell.com/show_bug.cgi?id=668319
========================

Updated packages in core/updates_testing:
========================
socat-1.7.1.3-2.1.mga1
socat-1.7.2.1-1.mga2

from SRPMS:
socat-1.7.1.3-2.1.mga1.src.rpm
socat-1.7.2.1-1.mga2.src.rpm
Comment 4 David Walser 2012-07-02 22:37:17 CEST
One way to test socat is to use it as a network redirector.

socat tcp-listen:1111,fork tcp-connect:REMOTE_HOST:22

Will make your machine listen on port 1111, and if you connect to that, it will redirect the connection to machine REMOTE_HOST (hostname or IP address) on port 22.  If the remote machine was running sshd, you could do ssh user@localhost -p 1111 to connect to this redirector and it should connect you to ssh on the remote machine.
Comment 5 claire robinson 2012-07-03 17:03:55 CEST
We don't appear vulnerable to this.

There is a testcase on the dest-unreach.org link

# perl -e 'print "\r"."A"x 513' </tmp/socat-data socat readline exec:'cat /tmp/socat-data'
-bash: /tmp/socat-data: No such file or directory

# touch /tmp/socat-data

# perl -e 'print "\r"."A"x 513' </tmp/socat-data socat readline exec:'cat /tmp/socat-data'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Same mga1 64 and mga2 64
Comment 6 claire robinson 2012-07-03 17:10:19 CEST
Testing mga1 64

Thanks David for the test procedure

In an mga1 VM I used 
$ socat tcp-listen:1111,fork tcp-connect:<This-IP>:22

Connecting to it from <This IP> connects back to <This IP>
$ ssh -p 1111 <That IP>

So it seems to work.

Testing complete x86_64 mga1. I'll do the same the other way to test mga2 64.
Comment 7 claire robinson 2012-07-03 17:12:38 CEST
Testing complete mga2 64
Comment 8 Dave Hodgins 2012-07-04 04:29:25 CEST
Testing complete Mageia 1 i586.

I used socat tcp-listen:1111,fork tcp-connect:localhost:59386

Port 59386 has ...
tcp        0      0 127.0.0.1:59386             0.0.0.0:*                   LISTEN      3233/sshd: dave
It's setup by an autossh connection from a remote system.

In ~/.ssh/config, I copied the config entry that I normally use to
connect to port 59386, changed the name to test, and the port to 1111.

Using "ssh test" I get ...
$ ssh test
Warning: Permanently added '[localhost]:1111' (RSA) to the list of known hosts.

I'll run the same test on Mageia 2 i586 shortly.
Comment 9 Dave Hodgins 2012-07-04 04:44:52 CEST
Testing complete Mageia 2 i586.

Could someone from the sysadmin team push the srpm
socat-1.7.2.1-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
socat-1.7.1.3-2.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated socat package fixes security vulnerability:

Heap-based buffer overflow in the xioscan_readline function in
xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through
2.0.0-b4 allows local users to execute arbitrary code via the READLINE
address (CVE-2012-0219).

Also, on Mageia 1, invalid output and a possible process crash when socat
prints info about an unnamed unix domain socket has been fixed.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0219
http://www.dest-unreach.org/socat/contrib/socat-secadv3.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081619.html
http://lists.opensuse.org/opensuse-updates/2012-07/msg00001.html
https://bugzilla.novell.com/show_bug.cgi?id=668319

https://bugs.mageia.org/show_bug.cgi?id=5986
Comment 10 Thomas Backlund 2012-07-09 14:21:34 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0138

Note You need to log in before you can comment on or make changes to this bug.