Bug 1303887 – socat: Stack overflow vulnerability in parser

Bug 1303887 - socat: Stack overflow vulnerability in parser

Summary:	socat: Stack overflow vulnerability in parser

Status:	CLOSED WONTFIX

Aliases:	None

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20160201,reported=2...
Keywords:	Security

Depends On:	1186301 1303888 1303889
Blocks:	1303890
	Show dependency tree / graph

Reported:	2016-02-02 05:52 EST by Adam Mariš
Modified:	2016-12-01 13:08 EST (History)
CC List:	10 users (show)

See Also:
Fixed In Version:	socat 2.0.0-b9, socat 1.7.3.1
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-02-11 04:29:00 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2016-02-02 05:52:46 EST

A stack overflow vulnerability was found that can be triggered when command line arguments (complete address specifications, host names, file names) are longer than 512 bytes. Successful exploitation might allow an attacker to execute arbitrary code with the privileges of the socat process. This vulnerability can only be exploited when an attacker is able to inject data into socat's command line. A vulnerable scenario would be a CGI script that reads data from clients and uses (parts of) this data as hostname for a Socat invocation.

Affected versions:
1.5.0.0 - 1.7.3.0
2.0.0-b1 - 2.0.0-b8

Reference:

http://seclists.org/oss-sec/2016/q1/262

Comment 1 Adam Mariš 2016-02-02 05:53:19 EST

Created socat tracking bugs for this issue:

Affects: fedora-all [bug 1303888]
Affects: epel-all [bug 1303889]

Comment 2 Tomas Hoger 2016-02-11 03:53:10 EST

Upstream commit:

http://repo.or.cz/socat.git/commitdiff/226c555edb82f6901d7d7448d93e6d09b1132c73

External References:

http://www.dest-unreach.org/socat/contrib/socat-secadv8.html

Comment 4 Tomas Hoger 2016-02-11 04:29:00 EST

Overflow is triggered by long command line arguments.  While these may be based on untrusted input, they typically are not.  There's currently no plan to correct this in Red Hat Enterprise Linux.  The fix may be added if the component is updated to fixed upstream version in future updates.

Note You need to log in before you can comment on or make changes to this bug.