Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 330785 (CVE-2010-2799) - <net-misc/socat-1.7.1.3: stack overflow vulnerability (CVE-2010-2799)
Summary: <net-misc/socat-1.7.1.3: stack overflow vulnerability (CVE-2010-2799)
Status: RESOLVED FIXED
Alias: CVE-2010-2799
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.dest-unreach.org/socat/con...
Whiteboard: C2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-02 02:34 UTC by Jeroen Roovers (RETIRED)
Modified: 2010-10-01 20:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2010-08-02 02:34:58 UTC
"A stack overflow vulnerability was found that is triggered when command line arguments (complete address specifications, host names, file names) are longer than 512 bytes.

"Successful exploitation allows an attacker to execute arbitrary code with the privileges of the socat process.

"This vulnerability can only be exploited when an attacker is able to inject data into socat's command line.

"A vulnerable scenario would be a CGI script that reads data from clients and uses (parts of) this data as hostname for a socat invocation.

"The problem was caused by a coding error in function nestlex() that ineffected the output buffer end check."
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-02 02:36:20 UTC
Arch teams, please test and mark stable:
=net-misc/socat/socat-1.7.1.3
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc sparc x86"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-02 02:42:10 UTC
Arch teams, please test and mark stable:
=net-misc/socat-1.7.1.3
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc sparc x86"
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-08-02 16:02:19 UTC
amd64 done
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-02 17:27:36 UTC
Stable for HPPA PPC.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-02 20:12:43 UTC
Nearly perfect. ;)

Whiteboard information:
http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3
Comment 6 Andreas Schürch gentoo-dev 2010-08-03 10:43:40 UTC
It fails 3 tests on my x86 testbox, but thats due to the lack of tun/tap within my Kernel... Another failure is in the ioctl-void-test, but that is also no regression! At the end it works for my usage (socket to port redirection).
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-03 15:04:57 UTC
(In reply to comment #6)
> It fails 3 tests on my x86 testbox, but thats due to the lack of tun/tap within
> my Kernel... Another failure is in the ioctl-void-test, but that is also no
> regression! At the end it works for my usage (socket to port redirection).

The test suite can be very useful, but not to reassure you that it built fine and works well in all circumstances.

You're free to review all previous socat stabilisation bug reports for more information, as this isn't anything new, isn't a regression and has an open bug #277104 sitting doing nothing for a good while now.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2010-08-05 07:50:17 UTC
stable x86, thanks Andreas
Comment 9 Markus Meier gentoo-dev 2010-08-05 19:26:50 UTC
arm stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2010-08-07 15:59:29 UTC
alpha/ia64/sparc stable
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-11 20:50:51 UTC
Rerating C2. Closing as noglsa because of the limited vector.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-01 20:29:03 UTC
CVE-2010-2799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2799):
  Stack-based buffer overflow in the nestlex function in nestlex.c in
  Socat 1.5.0.0 through 1.7.1.2 and 2.0.0-b1 through 2.0.0-b3, when
  bidirectional data relay is enabled, allows context-dependent
  attackers to execute arbitrary code via long command-line arguments.