Bug 108027

Summary: CAN-2003-0740 Stunnel 3.2x Security Issues
Product: [Retired] Red Hat Linux Reporter: Steve Grubb <linux_4ever>
Component: stunnelAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: mjc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-12-12 08:52:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Grubb 2003-10-26 14:10:08 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
Stunnel as shipped leaks many file descriptors. One in particular can be used to
hijack the service if used with a program that provides shell access. Further
information can be found at:

http://marc.theaimsgroup.com/?l=bugtraq&m=106260760211958&w=2

The advisory includes working exploit code tested against Red Hat 8.0.

Version-Release number of selected component (if applicable):
stunnel-3.22

How reproducible:
Always

Steps to Reproduce:
1. Compile and run the the exploit program from the bugtraq advisory.
2. Follow the instructions for the exploit program in the advisory.
    

Actual Results:  Leaked file descriptors. The listening descriptor, the logging
descriptor, the signal pipe descriptors, etc.

Expected Results:  Only file descriptors 0, 1, & 2 in the child process.

Additional info:

Version 3.26 is the current version of the 3.x series. It has all known problems
associated with descriptor leaks fixed. Its recommeded to upgrade to that version.

4.04 does not have this problem. Upgrading to the 4.x series is not recommeded
since 3.x has configuration info on the commandline while 4.x uses a config
file. The differences are too big of a jump for a stable release.
Comment 1 Mark J. Cox 2003-10-27 16:20:23 UTC 
See bug 106473 for the entry for Enterprise Linux for this bug.  We have an
errata in progress RHSA-2003:296 for this issue, but it is currently stalled on
glibc (see bug 106800)
Comment 2 Mark J. Cox 2003-12-12 08:52:28 UTC 
http://rhn.redhat.com/errata/RHSA-2003-296.html
was released 2003-11-24