Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 415977 (CVE-2012-0219) - <net-misc/socat-{1.7.2.1,2.0.0-b5} heap based buffer overflow vulnerability allows arbitrary code execution (CVE-2012-0219)
Summary: <net-misc/socat-{1.7.2.1,2.0.0-b5} heap based buffer overflow vulnerability a...
Status: RESOLVED FIXED
Alias: CVE-2012-0219
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-14 19:01 UTC by Jeroen Roovers (RETIRED)
Modified: 2012-08-14 20:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2012-05-14 19:01:50 UTC
2012/05/14: A heap based buffer overflow vulnerability has been found with data that happens to be output on the READLINE address. Successful exploitation may allow an attacker to execute arbitrary code with the privileges of the socat process (advisory[1]). Fixed versions are 1.7.2.1 and 2.0.0-b5. Patches are available in the download area.

[1] http://www.dest-unreach.org/socat/contrib/socat-secadv3.html
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-14 19:03:34 UTC
Arch teams, please test and mark stable:
=net-misc/socat-1.7.2.1
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc sparc x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-14 22:49:57 UTC
Stable for HPPA.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2012-05-17 19:00:47 UTC
Stable on alpha.
Comment 4 Agostino Sarubbo gentoo-dev 2012-05-18 08:07:48 UTC
amd64 stable
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-18 08:43:05 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2012-05-26 10:05:50 UTC
arm stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-05-26 17:19:46 UTC
ia64/sparc stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-06-29 21:02:55 UTC
CVE-2012-0219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0219):
  Heap-based buffer overflow in the xioscan_readline function in
  xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through
  2.0.0-b4 allows local users to execute arbitrary code via the READLINE
  address.
Comment 9 Michael Weber (RETIRED) gentoo-dev 2012-07-08 21:50:53 UTC
got ppc stabled by Brent on May 21th
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-11 21:57:08 UTC
Thanks, everyone. 

Filing a new GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 20:50:02 UTC
This issue was resolved and addressed in
 GLSA 201208-01 at http://security.gentoo.org/glsa/glsa-201208-01.xml
by GLSA coordinator Sean Amoss (ackle).