Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 460278 (CVE-2012-2686) - <net-misc/stunnel-4.56-r1: OpenSSL and CONNECT Protocol Negotiation NTLM Authentication Vulnerabilities (CVE-2012-2686,CVE-2013-{0166,0169,1762})
Summary: <net-misc/stunnel-4.56-r1: OpenSSL and CONNECT Protocol Negotiation NTLM Auth...
Status: RESOLVED FIXED
Alias: CVE-2012-2686
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52460/
Whiteboard: B2 [glsa]
Keywords:
Depends on: 476674
Blocks:
  Show dependency tree
 
Reported: 2013-03-04 14:36 UTC by Agostino Sarubbo
Modified: 2014-02-06 16:06 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-04 14:36:36 UTC
From ${URL} :

Description
Some vulnerabilities have been reported in Stunnel, which can be exploited by malicious people to 
disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a 
user's system.

1) The application bundles a vulnerable version of OpenSSL.

For more information:
SA52036

2) An error when handling integer conversions within the NTLM authentication mechanism of the 
CONNECT protocol negotiation can be exploited to cause a buffer overflow.

Successful exploitation of this vulnerability may allow execution of arbitrary code but requires 
tricking a user into connecting to a malicious proxy server.

NOTE: This vulnerability only affects versions compiled as a 64-bit executable. 32-bit builds are 
not vulnerable.

This vulnerability is reported in versions 4.21 through 4.54.


Solution
Update to version 4.55.

Provided and/or discovered by
The vendor credits Mateusz Kocielski, LogicalTrust

Original Advisory
Stunnel:
https://www.stunnel.org/CVE-2013-1762.html
https://www.stunnel.org/sdf_ChangeLog.html
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 21:54:14 UTC
CVE-2013-0169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169):
  The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in
  OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider
  timing side-channel attacks on a MAC check requirement during the processing
  of malformed CBC padding, which allows remote attackers to conduct
  distinguishing attacks and plaintext-recovery attacks via statistical
  analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

CVE-2013-0166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0166):
  OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not
  properly perform signature verification for OCSP responses, which allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  application crash) via an invalid key.

CVE-2012-2686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2686):
  crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1
  and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote
  attackers to cause a denial of service (application crash) via crafted CBC
  data.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-03-21 18:49:54 UTC
CVE-2013-1762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1762):
  stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM
  authentication are enabled, does not correctly perform integer conversion,
  which allows remote proxy servers to execute arbitrary code via a crafted
  request that triggers a buffer overflow.
Comment 3 Dennis Schridde 2013-04-09 15:15:45 UTC
I think this is fixed in 4.55.
Comment 4 Dennis Schridde 2013-04-09 15:20:32 UTC
(In reply to comment #3)
> I think this is fixed in 4.55.

P.S: 4.56 fixes a regression introduced in 4.55 and the website changed to stunnel.org.
Comment 5 Anthony Basile gentoo-dev 2013-06-16 16:06:16 UTC
I just took maintainership and landed stunnel-4.56 with a fix for bug #451014 which was still outstanding.

Please test and I'll shoot for rapid stabilization in a few days.  We have to get the older versions off the tree.
Comment 6 Anthony Basile gentoo-dev 2013-07-12 14:58:41 UTC
(In reply to Anthony Basile from comment #5)
> I just took maintainership and landed stunnel-4.56 with a fix for bug
> #451014 which was still outstanding.
> 
> Please test and I'll shoot for rapid stabilization in a few days.  We have
> to get the older versions off the tree.

It has been more than a few days:

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sparc x86"
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-13 01:40:03 UTC
(In reply to Anthony Basile from comment #6)
> (In reply to Anthony Basile from comment #5)
> > I just took maintainership and landed stunnel-4.56 with a fix for bug
> > #451014 which was still outstanding.
> > 
> > Please test and I'll shoot for rapid stabilization in a few days.  We have
> > to get the older versions off the tree.
> 
> It has been more than a few days:
> 
> KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sparc x86"

Please don't make everyone read a couple of comments and combine what they think might be what you're hinting at with elements from the Summary to come up with their own concatenation of what should be the atom you're looking for. Just put it on a single line and in the Summary:

Arch teams, please test and mark stable:
=net-misc/stunnel-4.56
Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 s390 sparc x86
Comment 8 Anthony Basile gentoo-dev 2013-07-13 13:01:14 UTC
Arch teams, bug #476674 blocking this has been fixed.  Please proceed with testing and stabilization of =net-misc/stunnel-4.56-r1

Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 s390 sparc x86
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-13 13:48:41 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-13 16:54:04 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-13 16:54:13 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-13 18:19:33 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-07-13 19:15:41 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-07-14 14:21:42 UTC
alpha stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-07-14 17:35:31 UTC
arm stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-07-21 15:58:50 UTC
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-07-21 17:54:57 UTC
sparc stable
Comment 18 Ulrich Müller gentoo-dev 2013-08-02 15:55:43 UTC
stunnel-3.26 shouldn't be affected by this. The mentioned features don't exist in that version.
Comment 19 Agostino Sarubbo gentoo-dev 2013-08-06 12:35:32 UTC
s390 stable
Comment 20 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-23 14:55:16 UTC
GLSA request filed.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-02-06 16:06:05 UTC
This issue was resolved and addressed in
 GLSA 201402-08 at http://security.gentoo.org/glsa/glsa-201402-08.xml
by GLSA coordinator Mikle Kolyada (Zlogene).