svp / rpms / socat

Forked from rpms/socat 4 years ago
Clone

Blame SOURCES/socat-1.7.2.3.patch

a4921f
diff -r -N -U 3 socat-1.7.2.2/CHANGES socat-1.7.2.3/CHANGES
a4921f
--- socat-1.7.2.2/CHANGES	2013-03-25 17:36:42.000000000 +0100
a4921f
+++ socat-1.7.2.3/CHANGES	2014-01-28 18:39:01.000000000 +0100
a4921f
@@ -1,4 +1,11 @@
a4921f
 
a4921f
+####################### V 1.7.2.3:
a4921f
+
a4921f
+security:
a4921f
+	CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
a4921f
+	overflow with data from command line (see socat-secadv5.txt)
a4921f
+	Credits to Florian Weimer of the Red Hat Product Security Team
a4921f
+
a4921f
 ####################### V 1.7.2.2:
a4921f
 
a4921f
 security:
a4921f
diff -r -N -U 3 socat-1.7.2.2/VERSION socat-1.7.2.3/VERSION
a4921f
--- socat-1.7.2.2/VERSION	2013-03-25 17:42:07.000000000 +0100
a4921f
+++ socat-1.7.2.3/VERSION	2014-01-28 18:39:01.000000000 +0100
a4921f
@@ -1 +1 @@
a4921f
-"1.7.2.2"
a4921f
+"1.7.2.3"
a4921f
diff -r -N -U 3 socat-1.7.2.2/test.sh socat-1.7.2.3/test.sh
a4921f
--- socat-1.7.2.2/test.sh	2013-03-22 07:43:41.000000000 +0100
a4921f
+++ socat-1.7.2.3/test.sh	2014-01-28 18:39:01.000000000 +0100
a4921f
@@ -49,6 +49,9 @@
a4921f
 #SOCAT_EGD="egd=/dev/egd-pool"
a4921f
 MISCDELAY=1
a4921f
 [ -z "$SOCAT" ] && SOCAT="./socat"
a4921f
+if [ ! -x "$SOCAT" ]; then
a4921f
+    echo "$SOCAT does not exist" >&2; exit 1;
a4921f
+fi
a4921f
 [ -z "$PROCAN" ] && PROCAN="./procan"
a4921f
 [ -z "$FILAN" ] && FILAN="./filan"
a4921f
 opts="$opt_t $OPTS"
a4921f
@@ -10876,6 +10879,56 @@
a4921f
 PORT=$((PORT+1))
a4921f
 N=$((N+1))
a4921f
 
a4921f
+
a4921f
+if false; then	# this overflow is not reliably reproducable
a4921f
+# socat up to 2.0.0-b6 did not check the length of the PROXY-CONNECT command line paramters when copying them into the HTTP request buffer. This could lead to a buffer overflow.
a4921f
+NAME=PROXY_ADDR_OVFL
a4921f
+case "$TESTS" in
a4921f
+*%functions%*|*%bugs%*|*%security%*|*%socket%*|*%$NAME%*)
a4921f
+TEST="$NAME: proxy address parameters overflow"
a4921f
+# invoke socat PROXY-CONNECT with long proxy server and target server names. If it terminates with exit code >= 128 it is vulnerable
a4921f
+# However, even if vulnerable it often does not crash. Therefore we try to use a boundary check program like ElectricFence; only with its help we can tell that clean run proofs absence of vulnerability
a4921f
+if ! eval $NUMCOND; then :; else
a4921f
+tf="$td/test$N.stdout"
a4921f
+te="$td/test$N.stderr"
a4921f
+tdiff="$td/test$N.diff"
a4921f
+da="test$N $(date) $RANDOM"
a4921f
+EF=; for p in ef; do
a4921f
+    if type ef >/dev/null 2>&1; then
a4921f
+	EF="ef "; break
a4921f
+    fi
a4921f
+done
a4921f
+CMD0="$SOCAT $opts TCP-LISTEN:$PORT,reuseaddr FILE:/dev/null"
a4921f
+#CMD1="$EF $SOCAT $opts FILE:/dev/null PROXY-CONNECT:$(perl -e "print 'A' x 256"):$(perl -e "print 'A' x 256"):80"
a4921f
+CMD1="$EF $SOCAT $opts FILE:/dev/null PROXY-CONNECT:localhost:$(perl -e "print 'A' x 384"):80,proxyport=$PORT"
a4921f
+printf "test $F_n $TEST... " $N
a4921f
+$CMD0 >/dev/null 2>"${te}0" &
a4921f
+pid0=$!
a4921f
+waittcp4port $PORT 1
a4921f
+$CMD1 >/dev/null 2>"${te}1"
a4921f
+rc1=$?
a4921f
+if [ $rc1 -lt 128 ]; then
a4921f
+    if [ "$EF" ]; then
a4921f
+	$PRINTF "$OK\n"
a4921f
+	numOK=$((numOK+1))
a4921f
+    else
a4921f
+	$PRINTF "$UNKNOWN $RED(install ElectricFEnce!)$NORMAL\n"
a4921f
+	numCANT=$((num+1))
a4921f
+    fi
a4921f
+else
a4921f
+    $PRINTF "$FAILED\n"
a4921f
+    echo "$CMD1"
a4921f
+    cat "${te}"
a4921f
+    numFAIL=$((numFAIL+1))
a4921f
+fi
a4921f
+fi # NUMCOND
a4921f
+ ;;
a4921f
+esac
a4921f
+PORT=$((PORT+1))
a4921f
+N=$((N+1))
a4921f
+fi	# false
a4921f
+
a4921f
+
a4921f
 ###############################################################################
a4921f
 # here come tests that might affect your systems integrity. Put normal tests
a4921f
 # before this paragraph.
a4921f
diff -r -N -U 3 socat-1.7.2.2/xio-proxy.c socat-1.7.2.3/xio-proxy.c
a4921f
--- socat-1.7.2.2/xio-proxy.c	2011-12-06 08:45:03.000000000 +0100
a4921f
+++ socat-1.7.2.3/xio-proxy.c	2014-01-28 18:39:01.000000000 +0100
a4921f
@@ -1,5 +1,5 @@
a4921f
 /* source: xio-proxy.c */
a4921f
-/* Copyright Gerhard Rieger 2002-2011 */
a4921f
+/* Copyright Gerhard Rieger */
a4921f
 /* Published under the GNU General Public License V.2, see file COPYING */
a4921f
 
a4921f
 /* this file contains the source for opening addresses of HTTP proxy CONNECT
a4921f
@@ -275,8 +275,9 @@
a4921f
 			   struct proxyvars *proxyvars,
a4921f
 			   int level) {
a4921f
    size_t offset;
a4921f
-   char request[CONNLEN];
a4921f
-   char buff[BUFLEN+1];
a4921f
+   char request[CONNLEN];	/* HTTP connection request line */
a4921f
+   int rv;
a4921f
+   char buff[BUFLEN+1];		/* for receiving HTTP reply headers */
a4921f
 #if CONNLEN > BUFLEN
a4921f
 #error not enough buffer space 
a4921f
 #endif
a4921f
@@ -286,8 +287,12 @@
a4921f
    ssize_t sresult;
a4921f
 
a4921f
    /* generate proxy request header - points to final target */
a4921f
-   sprintf(request, "CONNECT %s:%u HTTP/1.0\r\n",
a4921f
-	   proxyvars->targetaddr, proxyvars->targetport);
a4921f
+   rv = snprintf(request, CONNLEN, "CONNECT %s:%u HTTP/1.0\r\n",
a4921f
+		 proxyvars->targetaddr, proxyvars->targetport);
a4921f
+   if (rv >= CONNLEN || rv < 0) {
a4921f
+      Error("_xioopen_proxy_connect(): PROXY CONNECT buffer too small");
a4921f
+      return -1;
a4921f
+   }
a4921f
 
a4921f
    /* send proxy CONNECT request (target addr+port) */
a4921f
    * xiosanitize(request, strlen(request), textbuff) = '\0';