Bug 1057746 – CVE-2014-0019 socat: PROXY-CONNECT address overflow

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1057746 - (CVE-2014-0019) CVE-2014-0019 socat: PROXY-CONNECT address overflow

Summary:	CVE-2014-0019 socat: PROXY-CONNECT address overflow

Status:	CLOSED CURRENTRELEASE

Aliases:	CVE-2014-0019

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20140128,reported=2...
Keywords:	Security

Depends On:	1057748 1058996 1081919
Blocks:	1057751
	Show dependency tree / graph

Reported:	2014-01-24 12:54 EST by Vincent Danen
Modified:	2015-10-15 14:13 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	socat 1.7.2.3, socat 2.0.0b7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-07-17 20:32:16 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
upstream patch to correct the flaw (4.22 KB, patch) 2014-01-24 12:56 EST, Vincent Danen	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Vincent Danen 2014-01-24 12:54:26 EST

Florian Weimer of the Red Hat Product Security Team discovered a denial of service flaw in socat. Due to a missing check during assembly of the HTTP request line a long target server name (<hostname> in the documentation) of the PROXY-CONNECT address can cause a stack buffer overrun. Exploitation requires that the attacker is able to provide the target server name to the PROXY-CONNECT address in the command line. This can happen for example in scripts that receive data from untrusted sources.

This flaw affects socat versions 1.3.0.0 through to 1.7.2.2; it is corrected in 1.7.2.3.


Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.

Comment 2 Vincent Danen 2014-01-24 12:56:33 EST

Created attachment 855124 [details]
upstream patch to correct the flaw

Comment 4 Vincent Danen 2014-01-28 18:28:05 EST

This issue is now public:

http://seclists.org/oss-sec/2014/q1/159

Comment 5 Vincent Danen 2014-01-28 18:30:16 EST

Created socat tracking bugs for this issue:

Affects: fedora-all [bug 1058996]

Comment 6 Fedora Update System 2014-02-12 09:38:49 EST

socat-1.7.2.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-02-12 09:52:31 EST

socat-1.7.2.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-02-20 02:02:08 EST

socat-1.7.2.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Kurt Seifried 2014-07-17 20:25:51 EDT

Statement:

The Red Hat Security Response Team has rated this issue as having Low security impact on OpenShift Enterprise, a future update may address this flaw.

Note You need to log in before you can comment on or make changes to this bug.