Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 471354 (CVE-2013-3571) - <net-misc/socat-{1.7.2.2,2.0.0_beta6} - FD leak may be misused for denial of service attacks against socat running in server mode (CVE-2013-3571)
Summary: <net-misc/socat-{1.7.2.2,2.0.0_beta6} - FD leak may be misused for denial of ...
Status: RESOLVED FIXED
Alias: CVE-2013-3571
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: C3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-26 18:43 UTC by Agostino Sarubbo
Modified: 2013-08-21 07:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-26 18:43:05 UTC
From ${URL} :

Socat security advisory - FD leak

Overview
  Under certain circumstances an FD leak occurs and can be misused for
  denial of service attacks against socat running in server mode.

Vulnerability Id: CVE-2013-3571

Details
  The issue occurs when a vulnerable version of socat is invoked with a
  listen type address with option fork and one or more of the options
  sourceport, lowport, range, or tcpwrap. When socat refuses a client
  connection due to one of these address or port restrictions it does
  shutdown() the socket but does not close() it, resulting in a file
  descriptor leak in the listening process, visible with command lsof
  and possibly resulting in error EMFILE "Too many open files".

Testcase
  In one terminal run the server:

    socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe

  In a second terminal see which FDs are open, then connect (implicitely
  using a forbidden address), and check if there is a new FD open, e.g.:

    lsof -p $(pgrep socat)
    socat /dev/null tcp:localhost:10000
    lsof -p $(pgrep socat)

  If the second lsof shows an additional FD as in the following line,
  this socat version is vulnerable:

    socat  17947 gerhard  4u  sock  0,6  0t0 1145265 can't identify protocol

Workaround
  Use IP filters in your OS or firewall.
  Restart socat when it crashed.

Affected versions
  1.2.0.0 - 1.7.2.1
  2.0.0-b1 - 2.0.0-b5

Not affected or corrected versions
  1.0.0.0 - 1.1.0.1
  1.7.2.2 and later
  2.0.0-b6 and later

Download
  The updated sources can be downloaded from:

    http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.tar.gz

  Patch to 1.7.2.1:
    http://www.dest-unreach.org/socat/download/socat-1.7.2.2.patch.gz

  Patch to 2.0.0-b5:
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.patch.gz

Credits
  Full credits to Catalin Mitrofan for finding and reporting this issue.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-05-27 11:49:46 UTC
Arch teams, please test and mark stable:
=net-misc/socat-1.7.2.2
Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc sparc x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-05-28 13:09:45 UTC
Stable for HPPA.
Comment 3 Markus Meier gentoo-dev 2013-06-02 09:54:13 UTC
arm stable
Comment 4 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2013-06-03 14:56:10 UTC
 * QA Notice: Package triggers severe warnings which indicate that it
 *            may exhibit random runtime failures.
 * xio-ip6.c:233:7: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 * filan.c:617:7: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 * filan.c:617:7: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 * filan.c:630:3: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 * filan.c:633:3: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 * filan.c:635:3: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 * filan.c:638:4: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 * filan.c:909:7: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 * filan.c:911:7: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]

I took a look into code, it seems that all of these are are debug printf's with impropper casts, so this should be fine, I guess.

Other than that, amd64: ok
Comment 5 Sergey Popov gentoo-dev 2013-06-04 09:34:26 UTC
amd64 stable, thanks to Tomáš Pružina
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-06-09 11:32:51 UTC
alpha stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-06-09 11:33:10 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-06-09 11:33:28 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-06-09 11:33:46 UTC
sparc stable
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2013-08-01 18:11:31 UTC
GLSA vote: no.
Comment 11 Sergey Popov gentoo-dev 2013-08-21 07:46:14 UTC
GLSA vote: no

Closing as noglsa