Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 330785 (CVE-2010-2799)

Summary: <net-misc/socat-1.7.1.3: stack overflow vulnerability (CVE-2010-2799)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.dest-unreach.org/socat/contrib/socat-secadv2.html
Whiteboard: C2 [noglsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2010-08-02 02:34:58 UTC 
"A stack overflow vulnerability was found that is triggered when command line arguments (complete address specifications, host names, file names) are longer than 512 bytes.

"Successful exploitation allows an attacker to execute arbitrary code with the privileges of the socat process.

"This vulnerability can only be exploited when an attacker is able to inject data into socat's command line.

"A vulnerable scenario would be a CGI script that reads data from clients and uses (parts of) this data as hostname for a socat invocation.

"The problem was caused by a coding error in function nestlex() that ineffected the output buffer end check."
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-02 02:36:20 UTC 
Arch teams, please test and mark stable:
=net-misc/socat/socat-1.7.1.3
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc sparc x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-02 02:42:10 UTC 
Arch teams, please test and mark stable:
=net-misc/socat-1.7.1.3
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc sparc x86"
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-08-02 16:02:19 UTC 
amd64 done
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-02 17:27:36 UTC 
Stable for HPPA PPC.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-02 20:12:43 UTC 
Nearly perfect. ;)

Whiteboard information:
http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3
Comment 6 Andreas Schürch gentoo-dev 2010-08-03 10:43:40 UTC 
It fails 3 tests on my x86 testbox, but thats due to the lack of tun/tap within my Kernel... Another failure is in the ioctl-void-test, but that is also no regression! At the end it works for my usage (socket to port redirection).
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-03 15:04:57 UTC 
(In reply to comment #6)
> It fails 3 tests on my x86 testbox, but thats due to the lack of tun/tap within
> my Kernel... Another failure is in the ioctl-void-test, but that is also no
> regression! At the end it works for my usage (socket to port redirection).

The test suite can be very useful, but not to reassure you that it built fine and works well in all circumstances.

You're free to review all previous socat stabilisation bug reports for more information, as this isn't anything new, isn't a regression and has an open bug #277104 sitting doing nothing for a good while now.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2010-08-05 07:50:17 UTC 
stable x86, thanks Andreas
Comment 9 Markus Meier gentoo-dev 2010-08-05 19:26:50 UTC 
arm stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2010-08-07 15:59:29 UTC 
alpha/ia64/sparc stable
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-11 20:50:51 UTC 
Rerating C2. Closing as noglsa because of the limited vector.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-01 20:29:03 UTC 
CVE-2010-2799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2799):
  Stack-based buffer overflow in the nestlex function in nestlex.c in
  Socat 1.5.0.0 through 1.7.1.2 and 2.0.0-b1 through 2.0.0-b3, when
  bidirectional data relay is enabled, allows context-dependent
  attackers to execute arbitrary code via long command-line arguments.