summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch372
-rw-r--r--meta/recipes-connectivity/socat/socat_1.7.3.0.bb1
2 files changed, 373 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch b/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch
new file mode 100644
index 0000000000..0cd417944f
--- /dev/null
+++ b/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch
@@ -0,0 +1,372 @@
1Upstream-Status: Backport
2
3http://www.dest-unreach.org/socat/download/socat-1.7.3.1.patch
4
5CVE: CVE-2016-2217
6[Yocto # 9024]
7Singed-off-by: Armin Kuster <akuster@mvista.com>
8
9Index: socat-1.7.3.0/CHANGES
10===================================================================
11--- socat-1.7.3.0.orig/CHANGES
12+++ socat-1.7.3.0/CHANGES
13@@ -1,8 +1,39 @@
14
15+####################### V 1.7.3.1:
16+
17+security:
18+ Socat security advisory 8
19+ A stack overflow in vulnerability was found that can be triggered when
20+ command line arguments (complete address specifications, host names,
21+ file names) are longer than 512 bytes.
22+ Successful exploitation might allow an attacker to execute arbitrary
23+ code with the privileges of the socat process.
24+ This vulnerability can only be exploited when an attacker is able to
25+ inject data into socat's command line.
26+ A vulnerable scenario would be a CGI script that reads data from clients
27+ and uses (parts of) this data as hostname for a Socat invocation.
28+ Test: NESTEDOVFL
29+ Credits to Takumi Akiyama for finding and reporting this issue.
30+
31+ Socat security advisory 7
32+ MSVR-1499
33+ In the OpenSSL address implementation the hard coded 1024 bit DH p
34+ parameter was not prime. The effective cryptographic strength of a key
35+ exchange using these parameters was weaker than the one one could get by
36+ using a prime p. Moreover, since there is no indication of how these
37+ parameters were chosen, the existence of a trapdoor that makes possible
38+ for an eavesdropper to recover the shared secret from a key exchange
39+ that uses them cannot be ruled out.
40+ Futhermore, 1024bit is not considered sufficiently secure.
41+ Fix: generated a new 2048bit prime.
42+ Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
43+ Research (MSVR) for finding and reporting this issue.
44+
45 ####################### V 1.7.3.0:
46
47 security:
48- (CVE Id pending)
49+ Socat security advisory 6
50+ CVE-2015-1379: Possible DoS with fork
51 Fixed problems with signal handling caused by use of not async signal
52 safe functions in signal handlers that could freeze socat, allowing
53 denial of service attacks.
54@@ -240,6 +271,7 @@ docu:
55 ####################### V 1.7.2.3:
56
57 security:
58+ Socat security advisory 5
59 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
60 overflow with data from command line (see socat-secadv5.txt)
61 Credits to Florian Weimer of the Red Hat Product Security Team
62@@ -247,6 +279,7 @@ security:
63 ####################### V 1.7.2.2:
64
65 security:
66+ Socat security advisory 4
67 CVE-2013-3571:
68 after refusing a client connection due to bad source address or source
69 port socat shutdown() the socket but did not close() it, resulting in
70@@ -258,6 +291,7 @@ security:
71 ####################### V 1.7.2.1:
72
73 security:
74+ Socat security advisory 3
75 CVE-2012-0219:
76 fixed a possible heap buffer overflow in the readline address. This bug
77 could be exploited when all of the following conditions were met:
78@@ -391,6 +425,7 @@ docu:
79 ####################### V 1.7.1.3:
80
81 security:
82+ Socat security advisory 2
83 CVE-2010-2799:
84 fixed a stack overflow vulnerability that occurred when command
85 line arguments (whole addresses, host names, file names) were longer
86@@ -892,6 +927,7 @@ further corrections:
87 ####################### V 1.4.0.3:
88
89 security:
90+ Socat security advisory 1
91 CVE-2004-1484:
92 fix to a syslog() based format string vulnerability that can lead to
93 remote code execution. See advisory socat-adv-1.txt
94Index: socat-1.7.3.0/VERSION
95===================================================================
96--- socat-1.7.3.0.orig/VERSION
97+++ socat-1.7.3.0/VERSION
98@@ -1 +1 @@
99-"1.7.3.0"
100+"1.7.3.1"
101Index: socat-1.7.3.0/nestlex.c
102===================================================================
103--- socat-1.7.3.0.orig/nestlex.c
104+++ socat-1.7.3.0/nestlex.c
105@@ -1,5 +1,5 @@
106 /* source: nestlex.c */
107-/* Copyright Gerhard Rieger 2006-2010 */
108+/* Copyright Gerhard Rieger */
109 /* Published under the GNU General Public License V.2, see file COPYING */
110
111 /* a function for lexical scanning of nested character patterns */
112@@ -9,6 +9,17 @@
113
114 #include "sysincludes.h"
115
116+static int _nestlex(const char **addr,
117+ char **token,
118+ ptrdiff_t *len,
119+ const char *ends[],
120+ const char *hquotes[],
121+ const char *squotes[],
122+ const char *nests[],
123+ bool dropquotes,
124+ bool c_esc,
125+ bool html_esc
126+ );
127
128 /* sub: scan a string and copy its value to output string
129 end scanning when an unescaped, unnested string from ends array is found
130@@ -33,6 +44,22 @@ int nestlex(const char **addr, /* input
131 bool c_esc, /* solve C char escapes: \n \t \0 etc */
132 bool html_esc /* solve HTML char escapes: %0d %08 etc */
133 ) {
134+ return
135+ _nestlex(addr, token, (ptrdiff_t *)len, ends, hquotes, squotes, nests,
136+ dropquotes, c_esc, html_esc);
137+}
138+
139+static int _nestlex(const char **addr,
140+ char **token,
141+ ptrdiff_t *len,
142+ const char *ends[],
143+ const char *hquotes[],
144+ const char *squotes[],
145+ const char *nests[],
146+ bool dropquotes,
147+ bool c_esc,
148+ bool html_esc
149+ ) {
150 const char *in = *addr; /* pointer into input string */
151 const char **endx; /* loops over end patterns */
152 const char **quotx; /* loops over quote patterns */
153@@ -77,16 +104,18 @@ int nestlex(const char **addr, /* input
154 if (--*len <= 0) { *addr = in; *token = out; return -1; }
155 }
156 }
157- /* we call nestlex recursively */
158+ /* we call _nestlex recursively */
159 endnest[0] = *quotx;
160 endnest[1] = NULL;
161 result =
162- nestlex(&in, &out, len, endnest, NULL/*hquotes*/,
163+ _nestlex(&in, &out, len, endnest, NULL/*hquotes*/,
164 NULL/*squotes*/, NULL/*nests*/,
165 false, c_esc, html_esc);
166 if (result == 0 && dropquotes) {
167 /* we strip this quote */
168 in += strlen(*quotx);
169+ } else if (result < 0) {
170+ *addr = in; *token = out; return result;
171 } else {
172 /* we copy the trailing quote */
173 for (i = strlen(*quotx); i > 0; --i) {
174@@ -110,7 +139,7 @@ int nestlex(const char **addr, /* input
175 if (!strncmp(in, *quotx, strlen(*quotx))) {
176 /* this quote pattern matches */
177 /* we strip this quote */
178- /* we call nestlex recursively */
179+ /* we call _nestlex recursively */
180 const char *endnest[2];
181 if (dropquotes) {
182 /* we strip this quote */
183@@ -124,13 +153,15 @@ int nestlex(const char **addr, /* input
184 endnest[0] = *quotx;
185 endnest[1] = NULL;
186 result =
187- nestlex(&in, &out, len, endnest, hquotes,
188+ _nestlex(&in, &out, len, endnest, hquotes,
189 squotes, nests,
190 false, c_esc, html_esc);
191
192 if (result == 0 && dropquotes) {
193 /* we strip the trailing quote */
194 in += strlen(*quotx);
195+ } else if (result < 0) {
196+ *addr = in; *token = out; return result;
197 } else {
198 /* we copy the trailing quote */
199 for (i = strlen(*quotx); i > 0; --i) {
200@@ -162,7 +193,7 @@ int nestlex(const char **addr, /* input
201 }
202
203 result =
204- nestlex(&in, &out, len, endnest, hquotes, squotes, nests,
205+ _nestlex(&in, &out, len, endnest, hquotes, squotes, nests,
206 false, c_esc, html_esc);
207 if (result == 0) {
208 /* copy endnest */
209@@ -175,6 +206,8 @@ int nestlex(const char **addr, /* input
210 }
211 --i;
212 }
213+ } else if (result < 0) {
214+ *addr = in; *token = out; return result;
215 }
216 break;
217 }
218@@ -211,7 +244,7 @@ int nestlex(const char **addr, /* input
219 }
220 *out++ = c;
221 --*len;
222- if (*len == 0) {
223+ if (*len <= 0) {
224 *addr = in;
225 *token = out;
226 return -1; /* output overflow */
227@@ -222,7 +255,7 @@ int nestlex(const char **addr, /* input
228 /* just a simple char */
229 *out++ = c;
230 --*len;
231- if (*len == 0) {
232+ if (*len <= 0) {
233 *addr = in;
234 *token = out;
235 return -1; /* output overflow */
236Index: socat-1.7.3.0/nestlex.h
237===================================================================
238--- socat-1.7.3.0.orig/nestlex.h
239+++ socat-1.7.3.0/nestlex.h
240@@ -1,5 +1,5 @@
241 /* source: nestlex.h */
242-/* Copyright Gerhard Rieger 2006 */
243+/* Copyright Gerhard Rieger */
244 /* Published under the GNU General Public License V.2, see file COPYING */
245
246 #ifndef __nestlex_h_included
247Index: socat-1.7.3.0/socat.spec
248===================================================================
249--- socat-1.7.3.0.orig/socat.spec
250+++ socat-1.7.3.0/socat.spec
251@@ -1,6 +1,6 @@
252
253 %define majorver 1.7
254-%define minorver 3.0
255+%define minorver 3.1
256
257 Summary: socat - multipurpose relay
258 Name: socat
259Index: socat-1.7.3.0/test.sh
260===================================================================
261--- socat-1.7.3.0.orig/test.sh
262+++ socat-1.7.3.0/test.sh
263@@ -2266,8 +2266,8 @@ gentestcert () {
264 gentestdsacert () {
265 local name="$1"
266 if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
267- openssl dsaparam -out $name-dsa.pem 512 >/dev/null 2>&1
268- openssl dhparam -dsaparam -out $name-dh.pem 512 >/dev/null 2>&1
269+ openssl dsaparam -out $name-dsa.pem 1024 >/dev/null 2>&1
270+ openssl dhparam -dsaparam -out $name-dh.pem 1024 >/dev/null 2>&1
271 openssl req -newkey dsa:$name-dsa.pem -keyout $name.key -nodes -x509 -config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1
272 cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
273 }
274@@ -10973,6 +10973,42 @@ CMD0="$TRACE $SOCAT $opts OPENSSL:localh
275 printf "test $F_n $TEST... " $N
276 $CMD0 </dev/null 1>&0 2>"${te}0"
277 rc0=$?
278+if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
279+ $PRINTF "$OK\n"
280+ numOK=$((numOK+1))
281+else
282+ $PRINTF "$FAILED\n"
283+ echo "$CMD0"
284+ cat "${te}0"
285+ numFAIL=$((numFAIL+1))
286+ listFAIL="$listFAIL $N"
287+fi
288+fi # NUMCOND
289+ ;;
290+esac
291+PORT=$((PORT+1))
292+N=$((N+1))
293+
294+# socat up to 1.7.3.0 had a stack overflow vulnerability that occurred when
295+# command line arguments (whole addresses, host names, file names) were longer
296+# than 512 bytes and specially crafted.
297+NAME=NESTEDOVFL
298+case "$TESTS" in
299+*%$N%*|*%functions%*|*%bugs%*|*%security%*|*%exec%*|*%$NAME%*)
300+TEST="$NAME: stack overflow on overly long nested arg"
301+# provide a long host name to TCP-CONNECT and check socats exit code
302+if ! eval $NUMCOND; then :; else
303+tf="$td/test$N.stdout"
304+te="$td/test$N.stderr"
305+tdiff="$td/test$N.diff"
306+da="test$N $(date) $RANDOM"
307+# prepare long data - perl might not be installed
308+rm -f "$td/test$N.dat"
309+i=0; while [ $i -lt 64 ]; do echo -n "AAAAAAAAAAAAAAAA" >>"$td/test$N.dat"; i=$((i+1)); done
310+CMD0="$TRACE $SOCAT $opts EXEC:[$(cat "$td/test$N.dat")] STDIO"
311+printf "test $F_n $TEST... " $N
312+$CMD0 </dev/null 1>&0 2>"${te}0"
313+rc0=$?
314 if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
315 $PRINTF "$OK\n"
316 numOK=$((numOK+1))
317Index: socat-1.7.3.0/xio-openssl.c
318===================================================================
319--- socat-1.7.3.0.orig/xio-openssl.c
320+++ socat-1.7.3.0/xio-openssl.c
321@@ -912,20 +912,27 @@ int
322 }
323
324 {
325- static unsigned char dh1024_p[] = {
326- 0xCC,0x17,0xF2,0xDC,0x96,0xDF,0x59,0xA4,0x46,0xC5,0x3E,0x0E,
327- 0xB8,0x26,0x55,0x0C,0xE3,0x88,0xC1,0xCE,0xA7,0xBC,0xB3,0xBF,
328- 0x16,0x94,0xD8,0xA9,0x45,0xA2,0xCE,0xA9,0x5B,0x22,0x25,0x5F,
329- 0x92,0x59,0x94,0x1C,0x22,0xBF,0xCB,0xC8,0xC8,0x57,0xCB,0xBF,
330- 0xBC,0x0E,0xE8,0x40,0xF9,0x87,0x03,0xBF,0x60,0x9B,0x08,0xC6,
331- 0x8E,0x99,0xC6,0x05,0xFC,0x00,0xD6,0x6D,0x90,0xA8,0xF5,0xF8,
332- 0xD3,0x8D,0x43,0xC8,0x8F,0x7A,0xBD,0xBB,0x28,0xAC,0x04,0x69,
333- 0x4A,0x0B,0x86,0x73,0x37,0xF0,0x6D,0x4F,0x04,0xF6,0xF5,0xAF,
334- 0xBF,0xAB,0x8E,0xCE,0x75,0x53,0x4D,0x7F,0x7D,0x17,0x78,0x0E,
335- 0x12,0x46,0x4A,0xAF,0x95,0x99,0xEF,0xBC,0xA6,0xC5,0x41,0x77,
336- 0x43,0x7A,0xB9,0xEC,0x8E,0x07,0x3C,0x6D,
337+ static unsigned char dh2048_p[] = {
338+ 0x00,0xdc,0x21,0x64,0x56,0xbd,0x9c,0xb2,0xac,0xbe,0xc9,0x98,0xef,0x95,0x3e,
339+ 0x26,0xfa,0xb5,0x57,0xbc,0xd9,0xe6,0x75,0xc0,0x43,0xa2,0x1c,0x7a,0x85,0xdf,
340+ 0x34,0xab,0x57,0xa8,0xf6,0xbc,0xf6,0x84,0x7d,0x05,0x69,0x04,0x83,0x4c,0xd5,
341+ 0x56,0xd3,0x85,0x09,0x0a,0x08,0xff,0xb5,0x37,0xa1,0xa3,0x8a,0x37,0x04,0x46,
342+ 0xd2,0x93,0x31,0x96,0xf4,0xe4,0x0d,0x9f,0xbd,0x3e,0x7f,0x9e,0x4d,0xaf,0x08,
343+ 0xe2,0xe8,0x03,0x94,0x73,0xc4,0xdc,0x06,0x87,0xbb,0x6d,0xae,0x66,0x2d,0x18,
344+ 0x1f,0xd8,0x47,0x06,0x5c,0xcf,0x8a,0xb5,0x00,0x51,0x57,0x9b,0xea,0x1e,0xd8,
345+ 0xdb,0x8e,0x3c,0x1f,0xd3,0x2f,0xba,0x1f,0x5f,0x3d,0x15,0xc1,0x3b,0x2c,0x82,
346+ 0x42,0xc8,0x8c,0x87,0x79,0x5b,0x38,0x86,0x3a,0xeb,0xfd,0x81,0xa9,0xba,0xf7,
347+ 0x26,0x5b,0x93,0xc5,0x3e,0x03,0x30,0x4b,0x00,0x5c,0xb6,0x23,0x3e,0xea,0x94,
348+ 0xc3,0xb4,0x71,0xc7,0x6e,0x64,0x3b,0xf8,0x92,0x65,0xad,0x60,0x6c,0xd4,0x7b,
349+ 0xa9,0x67,0x26,0x04,0xa8,0x0a,0xb2,0x06,0xeb,0xe0,0x7d,0x90,0xdd,0xdd,0xf5,
350+ 0xcf,0xb4,0x11,0x7c,0xab,0xc1,0xa3,0x84,0xbe,0x27,0x77,0xc7,0xde,0x20,0x57,
351+ 0x66,0x47,0xa7,0x35,0xfe,0x0d,0x6a,0x1c,0x52,0xb8,0x58,0xbf,0x26,0x33,0x81,
352+ 0x5e,0xb7,0xa9,0xc0,0xee,0x58,0x11,0x74,0x86,0x19,0x08,0x89,0x1c,0x37,0x0d,
353+ 0x52,0x47,0x70,0x75,0x8b,0xa8,0x8b,0x30,0x11,0x71,0x36,0x62,0xf0,0x73,0x41,
354+ 0xee,0x34,0x9d,0x0a,0x2b,0x67,0x4e,0x6a,0xa3,0xe2,0x99,0x92,0x1b,0xf5,0x32,
355+ 0x73,0x63
356 };
357- static unsigned char dh1024_g[] = {
358+ static unsigned char dh2048_g[] = {
359 0x02,
360 };
361 DH *dh;
362@@ -938,8 +945,8 @@ int
363 }
364 Error("DH_new() failed");
365 } else {
366- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
367- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
368+ dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
369+ dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
370 if ((dh->p == NULL) || (dh->g == NULL)) {
371 while (err = ERR_get_error()) {
372 Warn1("BN_bin2bn(): %s",
diff --git a/meta/recipes-connectivity/socat/socat_1.7.3.0.bb b/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
index b58e0a73ea..6d76d0fd0b 100644
--- a/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
+++ b/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
14 14
15SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \ 15SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
16 file://Makefile.in-fix-for-parallel-build.patch \ 16 file://Makefile.in-fix-for-parallel-build.patch \
17 file://CVE-2016-2217.patch \
17" 18"
18 19
19SRC_URI[md5sum] = "b607edb65bc6c57f4a43f06247504274" 20SRC_URI[md5sum] = "b607edb65bc6c57f4a43f06247504274"