Bug 821985 (CVE-2013-3571) - VUL-1: CVE-2013-3571: socat: fd leak in server mode
Summary: VUL-1: CVE-2013-3571: socat: fd leak in server mode
Status: RESOLVED FIXED
Alias: CVE-2013-3571
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:NVD:CVE-2013-3571:2.6:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-28 14:16 UTC by Marcus Meissner
Modified: 2016-10-20 10:24 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Fixes CVE-2013-3571 (791 bytes, patch)
2016-02-04 09:14 UTC, Peter Simons 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-05-28 14:16:20 UTC 
is public, via socat release

1.7.2.2

  This release fixes a security issue: Under certain circumstances,
  an FD leak occurs and may be misused for denial-of-service attacks
  against socat running in server mode (CVE-2013-3571)
Comment 1 Swamp Workflow Management 2013-05-28 22:00:17 UTC 
bugbot adjusting priority
Comment 2 Peter Simons 2016-02-04 08:40:32 UTC 
The issue is fixed in commit 022f0a46e63a05f973013ae2d4947e8e7a078154 in git://repo.or.cz/socat.git. The commit also adds a test.sh script that might be useful for testing.
Comment 3 Peter Simons 2016-02-04 08:44:39 UTC 
Reproducing & testing the bug is quite easy, actually. These are the instructions from the CVE advisory:

  In one terminal run the server:

    socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe

  In a second terminal see which FDs are open, then connect (implicitely
  using a forbidden address), and check if there is a new FD open, e.g.:

    lsof -p $(pgrep socat)
    socat /dev/null tcp:localhost:10000
    lsof -p $(pgrep socat)

  If the second lsof shows an additional FD as in the following line,
  this socat version is vulnerable:

    socat  17947 gerhard  4u  sock  0,6  0t0 1145265 can't identify protocol
Comment 4 Peter Simons 2016-02-04 09:14:51 UTC 
Created attachment 664419 [details]
Fixes CVE-2013-3571

Minimal change extracted from upstream commit 022f0a46e63a05f973013ae2d4947e8e7a078154.
Comment 6 Swamp Workflow Management 2016-02-05 12:12:09 UTC 
SUSE-SU-2016:0343-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 821985,860991,964844
CVE References: CVE-2013-3571,CVE-2014-0019
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    socat-1.7.0.0-1.18.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    socat-1.7.0.0-1.18.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    socat-1.7.0.0-1.18.2
Comment 7 Marcus Meissner 2016-02-05 12:22:13 UTC 
released