"A stack overflow vulnerability was found that is triggered when command line arguments (complete address specifications, host names, file names) are longer than 512 bytes. "Successful exploitation allows an attacker to execute arbitrary code with the privileges of the socat process. "This vulnerability can only be exploited when an attacker is able to inject data into socat's command line. "A vulnerable scenario would be a CGI script that reads data from clients and uses (parts of) this data as hostname for a socat invocation. "The problem was caused by a coding error in function nestlex() that ineffected the output buffer end check."
Arch teams, please test and mark stable: =net-misc/socat/socat-1.7.1.3 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc sparc x86"
Arch teams, please test and mark stable: =net-misc/socat-1.7.1.3 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc sparc x86"
amd64 done
Stable for HPPA PPC.
Nearly perfect. ;) Whiteboard information: http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3
It fails 3 tests on my x86 testbox, but thats due to the lack of tun/tap within my Kernel... Another failure is in the ioctl-void-test, but that is also no regression! At the end it works for my usage (socket to port redirection).
(In reply to comment #6) > It fails 3 tests on my x86 testbox, but thats due to the lack of tun/tap within > my Kernel... Another failure is in the ioctl-void-test, but that is also no > regression! At the end it works for my usage (socket to port redirection). The test suite can be very useful, but not to reassure you that it built fine and works well in all circumstances. You're free to review all previous socat stabilisation bug reports for more information, as this isn't anything new, isn't a regression and has an open bug #277104 sitting doing nothing for a good while now.
stable x86, thanks Andreas
arm stable
alpha/ia64/sparc stable
Rerating C2. Closing as noglsa because of the limited vector.
CVE-2010-2799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2799): Stack-based buffer overflow in the nestlex function in nestlex.c in Socat 1.5.0.0 through 1.7.1.2 and 2.0.0-b1 through 2.0.0-b3, when bidirectional data relay is enabled, allows context-dependent attackers to execute arbitrary code via long command-line arguments.
