Bug 22565

Summary: multiple stunnel vulnerabilies
Product: [Retired] Red Hat Linux Reporter: Daniel Roesen <dr>
Component: opensslAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 7.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-12-20 02:31:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Roesen 2000-12-20 02:31:02 UTC
----- CITE -----
From: Brian Hatch <bri>
To: BUGTRAQ
Subject:      Complete list of Stunnel vulnerabilities
Date:         Mon, 18 Dec 2000 21:47:29 -0800

> We have recently discovered a format bug in stunnel<= 3.8 in which the
> log() function calls directly the syslog() with only two parameters:
> syslog(level, text). It should be syslog(level, "%s", text).

This was fixed in stunnel version 3.9.  I was actually writing up an
advisory to cover all the thing that were fixed since 3.8, but since
you brought it up here they are in a terribly uninteresting format:

1) stunnel-3.8 and previous did not properly seed the PRNG.
        This could lead to weak encryption on machines that
        lack /dev/urandom (such as Solaris, Windows, etc.
        BSD's, and Linux for example were not affected.)

2) stunnel-3.8 and previous had insecure pid file creation,
        and was thus vulnerable to symlink games.  (Ability
        to overwrite any file on the system.  Since stunnel
        is usually used to bind low ports, stunnel was usually
        run as root, and this was potentially very damaging.)

3) stunnel-3.8p4 and previous were affected by the afformeantioned
        format string bug.  (And shame on me for not catching it during
        my audit.)

4) stunnel-3.8p4 and previous was not entirely thread-safe.
        (Only informational counters were affected by this,
        nothing security or functional related.)


Everyone should upgrade to stunnel version 3.9 or later immediately.


Stunnel-3.9 was released December 13th, 2000.  It is Available at
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz

Stunnel-3.10 is slated for release soon.  It is a functional
release, and does not contain any additional security
related changes.


To report a bug in stunnel, please email the maintainer,
Michal Trojnara <Michal.Trojnara>, and the stunnel
FAQ maintainer, Brian Hatch <bri>.
----- CITE -----


As far as I can see we are affected by Bugs 2, 3 and 4. With #4 not being
security-relevant.

I file this one against the "openssl" package as Nalin is also maintainer
of OpenSSL and there is no "stunnel" package in Bugzilla available.

Comment 1 Daniel Roesen 2000-12-20 02:41:40 UTC
OK, I see. Errata already released today. Sorry.

(but "stunnel" package is still missing in Bugzilla :->)