Bugzilla – Bug 860991
VUL-1: CVE-2014-0019: socat: PROXY-CONNECT address overflow
Last modified: 2019-08-28 22:48:51 UTC
Via OSS-sec: Socat security advisory 5 - PROXY-CONNECT address overflow Overview socats PROXY-CONNECT address is vulnerable to a buffer overflow with data from command line Vulnerability Id: CVE-2014-0019 Serverity: Low Details Due to a missing check during assembly of the HTTP request line a long target server name (<hostname> in the documentation) in the PROXY-CONNECT address can cause a stack buffer overrun. Exploitation requires that the attacker is able to provide the target server name to the PROXY-CONNECT address in the command line. This can happen for example in scripts that receive data from untrusted sources. Testcase This overflow can not always be reliably reproduced. It may be helpful to build socat with gcc option -Wp,-D_FORTIFY_SOURCE=2 or to run socat under ElectricFence or another memory checker. In one terminal run a dummy server because socat first needs to establish a connection: socat tcp-l:8080,reuseaddr /dev/null In a second terminal run the check: socat - PROXY-CONNECT:localhost:$(perl -e "print 'A' x 384"):1,proxyport=8080 If this command terminates with Segmentation Violation, with a buffer overflow message or similar, your version of socat is vulnerable. However, a Connection refused message does not necessarily mean that your version is not vulnerable! Affected versions 1.3.0.0 - 1.7.2.2 2.0.0-b1 - 2.0.0-b6 Not affected or corrected versions 1.0.0.0 - 1.2.0.0 1.7.2.3 and later 2.0.0-b7 and later Workaround Truncate the target server name to a length of 256 characters before passing it to socats command line Download The updated sources can be downloaded from: http://www.dest-unreach.org/socat/download/socat-1.7.2.3.tar.gz http://www.dest-unreach.org/socat/download/socat-2.0.0-b7.tar.gz Patch to 1.7.2.2: http://www.dest-unreach.org/socat/download/socat-1.7.2.3.patch.gz Patch to 2.0.0-b6: http://www.dest-unreach.org/socat/download/socat-2.0.0-b7.patch.gz Credits Credits to Florian Weimer of the Red Hat Product Security Team
overflow on the commandline -> VUL-1
Rudy, I am reviewing your submission https://build.opensuse.org/request/show/296733 A reference to this bug is missing there.
openSUSE-SU-2015:0760-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 860991,927161 CVE References: CVE-2014-0019 Sources used: openSUSE 13.1 (src): socat-1.7.2.4-2.3.1
This issue is fixed by commit 7a348bdfd56f9fbb761b1387698b22b2d0d7f620. The patch also updates the test.sh script included in the distribution, which is helpful to verify that the issue is gone.
Created attachment 664421 [details] Fix CVE-2014-0019 Minimal patch extracted from upstream commit 7a348bdfd56f9fbb761b1387698b22b2d0d7f620.
SUSE-SU-2016:0343-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 821985,860991,964844 CVE References: CVE-2013-3571,CVE-2014-0019 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): socat-1.7.0.0-1.18.2 SUSE Linux Enterprise Desktop 11-SP4 (src): socat-1.7.0.0-1.18.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): socat-1.7.0.0-1.18.2
released