Bug 108027 - CAN-2003-0740 Stunnel 3.2x Security Issues
CAN-2003-0740 Stunnel 3.2x Security Issues
Product: Red Hat Linux
Classification: Retired
Component: stunnel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-10-26 09:10 EST by Steve Grubb
Modified: 2007-04-18 12:58 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-12-12 03:52:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2003-10-26 09:10:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
Stunnel as shipped leaks many file descriptors. One in particular can be used to
hijack the service if used with a program that provides shell access. Further
information can be found at:


The advisory includes working exploit code tested against Red Hat 8.0.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Compile and run the the exploit program from the bugtraq advisory.
2. Follow the instructions for the exploit program in the advisory.

Actual Results:  Leaked file descriptors. The listening descriptor, the logging
descriptor, the signal pipe descriptors, etc.

Expected Results:  Only file descriptors 0, 1, & 2 in the child process.

Additional info:

Version 3.26 is the current version of the 3.x series. It has all known problems
associated with descriptor leaks fixed. Its recommeded to upgrade to that version.

4.04 does not have this problem. Upgrading to the 4.x series is not recommeded
since 3.x has configuration info on the commandline while 4.x uses a config
file. The differences are too big of a jump for a stable release.
Comment 1 Mark J. Cox (Product Security) 2003-10-27 11:20:23 EST
See bug 106473 for the entry for Enterprise Linux for this bug.  We have an
errata in progress RHSA-2003:296 for this issue, but it is currently stalled on
glibc (see bug 106800)
Comment 2 Mark J. Cox (Product Security) 2003-12-12 03:52:28 EST
was released 2003-11-24

Note You need to log in before you can comment on or make changes to this bug.