Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379859 (CVE-2011-2940) - <net-misc/stunnel-4.44 Unspecified Heap Corruption Vulnerability (CVE-2011-2940)
Summary: <net-misc/stunnel-4.44 Unspecified Heap Corruption Vulnerability (CVE-2011-2940)
Status: RESOLVED FIXED
Alias: CVE-2011-2940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.securelist.com/en/advisori...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-19 11:21 UTC by Agostino Sarubbo
Modified: 2012-06-23 21:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-19 11:21:19 UTC
The vulnerability is caused due to an unspecified error and can be exploited to corrupt heap memory.

Solution:
Update to version 4.42.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:44:44 UTC
CVE-2011-2940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2940):
  stunnel 4.40 and 4.41 might allow remote attackers to execute arbitrary code
  or cause a denial of service (heap memory corruption) via unspecified
  vectors.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-11 13:05:08 UTC
The listen-queue patch is now upstream.

I've had hoped to get the x-forwarded-for patch upstream too, but the author is unsatisfied with it's quality and unwilling to merge it, though there are several people in the haproxy community (including me) using the patch in production without problems. He is actually searching for someone that sponsors him the development of a patch of better quality that does everything right(tm). :/

I'm sorry about that, but in order to be able to provider faster bumps for security fixes, we should punt the x-forwarded-for patch. Beginning with stunnel-4.45, stunnel will have "sendproxy" support, making x-forwarded-for obsolete for the haproxy-community anyways, meaning that there will be much less interest in providing patches for newer stunnel versions.

@ramerath: I'm sorry for the hassle with the package, can you provide an updated ebuild?
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-10-11 21:01:05 UTC
stunnel-4.44 in the tree now, with BOTH patches because they are used.
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-11 21:10:31 UTC
Thanks Robin and Stefan.

Arches, please test and mark stable:

=net-misc/stunnel-4.44

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-11 22:47:32 UTC
@Robin, Lance:

I'm not a guru with this program, but it seems does not working properly; frmo my shell:

amd64box ~ # /etc/init.d/stunnel start
stunnel         | * Starting stunnel ...
stunnel         |No limit detected for the number of clients
stunnel         |signal_pipe: FD=3 allocated (non-blocking mode)
stunnel         |signal_pipe: FD=4 allocated (non-blocking mode)
stunnel         |stunnel 4.44 on x86_64-pc-linux-gnu platform
stunnel         |Compiled/running with OpenSSL 1.0.0e 6 Sep 2011
stunnel         |Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
stunnel         |Reading configuration from file /etc/stunnel/stunnel.conf
stunnel         |PRNG seeded successfully
stunnel         |Line 61: End of section stunnel: SSL server needs a certificate
stunnel         |str_stats: 41 block(s), 1478 data byte(s), 2050 control byte(s)                     [ ok ]

Now it seems started:

amd64box ~ # /etc/init.d/stunnel status
 * status: started

but I didn't see pid:

amd64box ~ # ls /var/run/stunnel/
amd64box ~ # 

and ps aux does not returns anything:


amd64box ~ # ps aux | grep stunnel
root     26933  0.0  0.0   6288   576 pts/1    S+   00:46   0:00 grep --colour=auto stunnel


So I think that if is not running, status shouldn't be return [ok].

Can you provide more info to test? or is enough compile test?TIA
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-12 20:44:18 UTC
Please wait with stabilization until further testing of the new ebuild was done.
Comment 7 Agostino Sarubbo gentoo-dev 2011-10-12 21:10:21 UTC
(In reply to comment #6)
> Please wait with stabilization until further testing of the new ebuild was
> done.

I'm available for testing after ebuild changement.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-20 10:01:49 UTC
The root cause of agos testing failure seems to be that he didn't test with a proper configuration. I'm sorry for not looking into this earlier. stunnel-4.44 works just fine for me.


Arches, please test and mark stable:

=net-misc/stunnel-4.44

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-20 11:02:47 UTC
Actually adding arches now; please test and mark stable:

=net-misc/stunnel-4.44

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-20 11:04:04 UTC
Actually adding arches now; please test and mark stable:

=net-misc/stunnel-4.44

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-22 07:22:58 UTC
x86 stable
Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-22 08:56:50 UTC
ppc/ppc64 stable
Comment 13 Ian Delaney (RETIRED) gentoo-dev 2011-10-22 13:35:25 UTC
amd64

all appears ok; emerges, starts and stops
archtester xen-tools # rc-status |grep stunnel
 stunnel                                                           [  started  ]
Comment 14 Markos Chandras (RETIRED) gentoo-dev 2011-10-22 18:59:06 UTC
amd64 done. Thanks Ian
Comment 15 Markus Meier gentoo-dev 2011-10-23 11:39:48 UTC
arm stable
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-24 11:17:23 UTC
Stable for HPPA.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2011-10-29 18:55:41 UTC
alpha/ia64/s390/sparc stable
Comment 18 Agostino Sarubbo gentoo-dev 2011-10-30 18:46:42 UTC
Thanks all. Glsa request filed.
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-29 18:01:53 UTC
Our lazy GLSA bot does not want to update the bug, so I have to do it manually.
GLSA sent. Closing.
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-29 18:02:08 UTC
Now really closing.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2012-02-29 18:08:45 UTC
This issue was resolved and addressed in
 GLSA 201202-08 at http://security.gentoo.org/glsa/glsa-201202-08.xml
by GLSA coordinator Stefan Behte (craig).
Comment 22 Ulrich Müller gentoo-dev 2012-02-29 18:53:23 UTC
Today, glsa-check reports that my system would be affected by a vulnerability in net-misc/stunnel-3.26. However, the upstream bug clearly states that only versions 4.40 and 4.41 are affected, so it is a false positive.

Could the GLSA be fixed please, such that stunnel-3* is excepted from the list of vulnerable versions?

Reopening.
Comment 23 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-02-29 20:51:44 UTC
(In reply to comment #22)
> 
> Reopening.

File a new bug in the GLSA errors category, please.