Hello community, here is the log from the commit of package socat for openSUSE:Factory checked in at 2016-02-07 09:21:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/socat (Old) and /work/SRC/openSUSE:Factory/.socat.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "socat" Changes: -------- --- /work/SRC/openSUSE:Factory/socat/socat.changes 2015-03-29 20:15:24.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.socat.new/socat.changes 2016-02-07 09:21:49.000000000 +0100 @@ -1,0 +2,23 @@ +Tue Feb 2 12:19:40 UTC 2016 - [email protected] + +- update to 1.7.3.1, security fixes: + * Socat security advisory 7 and MSVR-1499: "Bad DH p parameter in + OpenSSL" + * Socat security advisory 8: "Stack overflow in arguments parser" + +------------------------------------------------------------------- +Mon Apr 20 05:54:10 UTC 2015 - [email protected] + +- test-suite, use a small but safe subset of all tests +- don't remove "example" scripts from builddir, they are needed for + tests + +------------------------------------------------------------------- +Tue Apr 14 15:57:19 UTC 2015 - [email protected] + +- remove socat-remove_date.patch, export BUILD_DATE instead + (new feature since 1.7.2.4) +- run tests, don't abort yet +- require tcpd-devel only on SUSE systems at build time + +------------------------------------------------------------------- Old: ---- socat-1.7.3.0.tar.bz2 socat-remove_date.patch New: ---- socat-1.7.3.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ socat.spec ++++++ --- /var/tmp/diff_new_pack.AUd2Ej/_old 2016-02-07 09:21:50.000000000 +0100 +++ /var/tmp/diff_new_pack.AUd2Ej/_new 2016-02-07 09:21:50.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package socat # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2010 Pascal Bleser <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -21,15 +21,28 @@ BuildRequires: openssl-devel BuildRequires: procps BuildRequires: readline-devel +%if 0%{?suse_version} BuildRequires: tcpd-devel -Version: 1.7.3.0 +%endif +# begin: test deps: (ip, ping, ping6, netstat, /etc/services) +%if 0%{?suse_version} +BuildRequires: iproute2 +BuildRequires: netcfg +%endif +BuildRequires: iputils +BuildRequires: net-tools +%if 0%{?suse_version} >= 1330 +BuildRequires: net-tools-deprecated +%endif +# end: test deps +Version: 1.7.3.1 Release: 0 Url: http://www.dest-unreach.org/socat/ Summary: Multipurpose relay for bidirectional data transfer License: SUSE-GPL-2.0-with-openssl-exception and MIT Group: Productivity/Networking/Other Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.bz2 -Patch1: socat-remove_date.patch +Source1: %{name}.changes Patch2: fix-linux-errqueue.h-not-found.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -43,15 +56,18 @@ %prep %setup -%patch1 -p1 %patch2 -p1 %build +# export deterministic BUILD_DATE, format like "__DATE__ __TIME__" +CL_DATE="$(awk -F " - " 'NR==2{print $1;}' %{SOURCE1})" +test -n "$CL_DATE" +export BUILD_DATE="$(LANG=C date --utc -d "${CL_DATE}" +"%b %e %Y %T")" export RPM_OPT_FLAGS="%{optflags} -fno-strict-aliasing" %configure %{__make} all mkdir examples -mv daemon.sh ftp.sh mail.sh proxyecho.sh readline.sh examples +cp -a daemon.sh ftp.sh mail.sh proxyecho.sh readline.sh examples %install mkdir -p \ @@ -59,6 +75,19 @@ ${RPM_BUILD_ROOT}/%{_mandir}/man1 %{__make} DESTDIR=${RPM_BUILD_ROOT} install +%check +export TERM=ansi +# use a small but safe subset of all tests +sotests="filan consistency stdio fd pipe pipes exec gopen noatime system" +%ifnarch armv6l armv6hl aarch64 +# add some more tests for fast machines only +sotests+=" unix" +%endif +# increase socket shutdown timeout, default 0.1 or 0.5 caused sometimes +# random failures on slow machines (armv6l, aarch64) +export OPTS="-t 2" +./test.sh $sotests + %files %defattr(-,root,root) %doc BUGREPORTS CHANGES COPYING COPYING.OpenSSL DEVELOPMENT EXAMPLES FAQ FILES PORTING README SECURITY VERSION examples ++++++ socat-1.7.3.0.tar.bz2 -> socat-1.7.3.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/socat-1.7.3.0/CHANGES new/socat-1.7.3.1/CHANGES --- old/socat-1.7.3.0/CHANGES 2015-01-24 17:22:09.000000000 +0100 +++ new/socat-1.7.3.1/CHANGES 2016-01-29 11:29:36.000000000 +0100 @@ -1,8 +1,39 @@ +####################### V 1.7.3.1: + +security: + Socat security advisory 8 + A stack overflow in vulnerability was found that can be triggered when + command line arguments (complete address specifications, host names, + file names) are longer than 512 bytes. + Successful exploitation might allow an attacker to execute arbitrary + code with the privileges of the socat process. + This vulnerability can only be exploited when an attacker is able to + inject data into socat's command line. + A vulnerable scenario would be a CGI script that reads data from clients + and uses (parts of) this data as hostname for a Socat invocation. + Test: NESTEDOVFL + Credits to Takumi Akiyama for finding and reporting this issue. + + Socat security advisory 7 + MSVR-1499 + In the OpenSSL address implementation the hard coded 1024 bit DH p + parameter was not prime. The effective cryptographic strength of a key + exchange using these parameters was weaker than the one one could get by + using a prime p. Moreover, since there is no indication of how these + parameters were chosen, the existence of a trapdoor that makes possible + for an eavesdropper to recover the shared secret from a key exchange + that uses them cannot be ruled out. + Futhermore, 1024bit is not considered sufficiently secure. + Fix: generated a new 2048bit prime. + Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability + Research (MSVR) for finding and reporting this issue. + ####################### V 1.7.3.0: security: - (CVE Id pending) + Socat security advisory 6 + CVE-2015-1379: Possible DoS with fork Fixed problems with signal handling caused by use of not async signal safe functions in signal handlers that could freeze socat, allowing denial of service attacks. @@ -240,6 +271,7 @@ ####################### V 1.7.2.3: security: + Socat security advisory 5 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer overflow with data from command line (see socat-secadv5.txt) Credits to Florian Weimer of the Red Hat Product Security Team @@ -247,6 +279,7 @@ ####################### V 1.7.2.2: security: + Socat security advisory 4 CVE-2013-3571: after refusing a client connection due to bad source address or source port socat shutdown() the socket but did not close() it, resulting in @@ -258,6 +291,7 @@ ####################### V 1.7.2.1: security: + Socat security advisory 3 CVE-2012-0219: fixed a possible heap buffer overflow in the readline address. This bug could be exploited when all of the following conditions were met: @@ -391,6 +425,7 @@ ####################### V 1.7.1.3: security: + Socat security advisory 2 CVE-2010-2799: fixed a stack overflow vulnerability that occurred when command line arguments (whole addresses, host names, file names) were longer @@ -892,6 +927,7 @@ ####################### V 1.4.0.3: security: + Socat security advisory 1 CVE-2004-1484: fix to a syslog() based format string vulnerability that can lead to remote code execution. See advisory socat-adv-1.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/socat-1.7.3.0/VERSION new/socat-1.7.3.1/VERSION --- old/socat-1.7.3.0/VERSION 2015-01-24 17:20:00.000000000 +0100 +++ new/socat-1.7.3.1/VERSION 2016-01-29 11:29:36.000000000 +0100 @@ -1 +1 @@ -"1.7.3.0" +"1.7.3.1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/socat-1.7.3.0/nestlex.c new/socat-1.7.3.1/nestlex.c --- old/socat-1.7.3.0/nestlex.c 2013-06-23 07:54:52.000000000 +0200 +++ new/socat-1.7.3.1/nestlex.c 2016-01-29 11:29:28.000000000 +0100 @@ -1,5 +1,5 @@ /* source: nestlex.c */ -/* Copyright Gerhard Rieger 2006-2010 */ +/* Copyright Gerhard Rieger */ /* Published under the GNU General Public License V.2, see file COPYING */ /* a function for lexical scanning of nested character patterns */ @@ -9,6 +9,17 @@ #include "sysincludes.h" +static int _nestlex(const char **addr, + char **token, + ptrdiff_t *len, + const char *ends[], + const char *hquotes[], + const char *squotes[], + const char *nests[], + bool dropquotes, + bool c_esc, + bool html_esc + ); /* sub: scan a string and copy its value to output string end scanning when an unescaped, unnested string from ends array is found @@ -33,6 +44,22 @@ bool c_esc, /* solve C char escapes: \n \t \0 etc */ bool html_esc /* solve HTML char escapes: %0d %08 etc */ ) { + return + _nestlex(addr, token, (ptrdiff_t *)len, ends, hquotes, squotes, nests, + dropquotes, c_esc, html_esc); +} + +static int _nestlex(const char **addr, + char **token, + ptrdiff_t *len, + const char *ends[], + const char *hquotes[], + const char *squotes[], + const char *nests[], + bool dropquotes, + bool c_esc, + bool html_esc + ) { const char *in = *addr; /* pointer into input string */ const char **endx; /* loops over end patterns */ const char **quotx; /* loops over quote patterns */ @@ -77,16 +104,18 @@ if (--*len <= 0) { *addr = in; *token = out; return -1; } } } - /* we call nestlex recursively */ + /* we call _nestlex recursively */ endnest[0] = *quotx; endnest[1] = NULL; result = - nestlex(&in, &out, len, endnest, NULL/*hquotes*/, + _nestlex(&in, &out, len, endnest, NULL/*hquotes*/, NULL/*squotes*/, NULL/*nests*/, false, c_esc, html_esc); if (result == 0 && dropquotes) { /* we strip this quote */ in += strlen(*quotx); + } else if (result < 0) { + *addr = in; *token = out; return result; } else { /* we copy the trailing quote */ for (i = strlen(*quotx); i > 0; --i) { @@ -110,7 +139,7 @@ if (!strncmp(in, *quotx, strlen(*quotx))) { /* this quote pattern matches */ /* we strip this quote */ - /* we call nestlex recursively */ + /* we call _nestlex recursively */ const char *endnest[2]; if (dropquotes) { /* we strip this quote */ @@ -124,13 +153,15 @@ endnest[0] = *quotx; endnest[1] = NULL; result = - nestlex(&in, &out, len, endnest, hquotes, + _nestlex(&in, &out, len, endnest, hquotes, squotes, nests, false, c_esc, html_esc); if (result == 0 && dropquotes) { /* we strip the trailing quote */ in += strlen(*quotx); + } else if (result < 0) { + *addr = in; *token = out; return result; } else { /* we copy the trailing quote */ for (i = strlen(*quotx); i > 0; --i) { @@ -162,7 +193,7 @@ } result = - nestlex(&in, &out, len, endnest, hquotes, squotes, nests, + _nestlex(&in, &out, len, endnest, hquotes, squotes, nests, false, c_esc, html_esc); if (result == 0) { /* copy endnest */ @@ -175,6 +206,8 @@ } --i; } + } else if (result < 0) { + *addr = in; *token = out; return result; } break; } @@ -211,7 +244,7 @@ } *out++ = c; --*len; - if (*len == 0) { + if (*len <= 0) { *addr = in; *token = out; return -1; /* output overflow */ @@ -222,7 +255,7 @@ /* just a simple char */ *out++ = c; --*len; - if (*len == 0) { + if (*len <= 0) { *addr = in; *token = out; return -1; /* output overflow */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/socat-1.7.3.0/nestlex.h new/socat-1.7.3.1/nestlex.h --- old/socat-1.7.3.0/nestlex.h 2010-10-06 09:25:30.000000000 +0200 +++ new/socat-1.7.3.1/nestlex.h 2016-01-29 11:29:28.000000000 +0100 @@ -1,5 +1,5 @@ /* source: nestlex.h */ -/* Copyright Gerhard Rieger 2006 */ +/* Copyright Gerhard Rieger */ /* Published under the GNU General Public License V.2, see file COPYING */ #ifndef __nestlex_h_included diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/socat-1.7.3.0/socat.spec new/socat-1.7.3.1/socat.spec --- old/socat-1.7.3.0/socat.spec 2015-01-24 17:21:32.000000000 +0100 +++ new/socat-1.7.3.1/socat.spec 2016-01-29 11:29:36.000000000 +0100 @@ -1,6 +1,6 @@ %define majorver 1.7 -%define minorver 3.0 +%define minorver 3.1 Summary: socat - multipurpose relay Name: socat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/socat-1.7.3.0/test.sh new/socat-1.7.3.1/test.sh --- old/socat-1.7.3.0/test.sh 2015-01-24 11:15:22.000000000 +0100 +++ new/socat-1.7.3.1/test.sh 2016-01-29 11:29:28.000000000 +0100 @@ -2266,8 +2266,8 @@ gentestdsacert () { local name="$1" if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi - openssl dsaparam -out $name-dsa.pem 512 >/dev/null 2>&1 - openssl dhparam -dsaparam -out $name-dh.pem 512 >/dev/null 2>&1 + openssl dsaparam -out $name-dsa.pem 1024 >/dev/null 2>&1 + openssl dhparam -dsaparam -out $name-dh.pem 1024 >/dev/null 2>&1 openssl req -newkey dsa:$name-dsa.pem -keyout $name.key -nodes -x509 -config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1 cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem } @@ -10973,6 +10973,42 @@ printf "test $F_n $TEST... " $N $CMD0 </dev/null 1>&0 2>"${te}0" rc0=$? +if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then + $PRINTF "$OK\n" + numOK=$((numOK+1)) +else + $PRINTF "$FAILED\n" + echo "$CMD0" + cat "${te}0" + numFAIL=$((numFAIL+1)) + listFAIL="$listFAIL $N" +fi +fi # NUMCOND + ;; +esac +PORT=$((PORT+1)) +N=$((N+1)) + +# socat up to 1.7.3.0 had a stack overflow vulnerability that occurred when +# command line arguments (whole addresses, host names, file names) were longer +# than 512 bytes and specially crafted. +NAME=NESTEDOVFL +case "$TESTS" in +*%$N%*|*%functions%*|*%bugs%*|*%security%*|*%exec%*|*%$NAME%*) +TEST="$NAME: stack overflow on overly long nested arg" +# provide a long host name to TCP-CONNECT and check socats exit code +if ! eval $NUMCOND; then :; else +tf="$td/test$N.stdout" +te="$td/test$N.stderr" +tdiff="$td/test$N.diff" +da="test$N $(date) $RANDOM" +# prepare long data - perl might not be installed +rm -f "$td/test$N.dat" +i=0; while [ $i -lt 64 ]; do echo -n "AAAAAAAAAAAAAAAA" >>"$td/test$N.dat"; i=$((i+1)); done +CMD0="$TRACE $SOCAT $opts EXEC:[$(cat "$td/test$N.dat")] STDIO" +printf "test $F_n $TEST... " $N +$CMD0 </dev/null 1>&0 2>"${te}0" +rc0=$? if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then $PRINTF "$OK\n" numOK=$((numOK+1)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/socat-1.7.3.0/xio-openssl.c new/socat-1.7.3.1/xio-openssl.c --- old/socat-1.7.3.0/xio-openssl.c 2015-01-24 15:33:42.000000000 +0100 +++ new/socat-1.7.3.1/xio-openssl.c 2016-01-29 11:28:38.000000000 +0100 @@ -912,20 +912,27 @@ } { - static unsigned char dh1024_p[] = { - 0xCC,0x17,0xF2,0xDC,0x96,0xDF,0x59,0xA4,0x46,0xC5,0x3E,0x0E, - 0xB8,0x26,0x55,0x0C,0xE3,0x88,0xC1,0xCE,0xA7,0xBC,0xB3,0xBF, - 0x16,0x94,0xD8,0xA9,0x45,0xA2,0xCE,0xA9,0x5B,0x22,0x25,0x5F, - 0x92,0x59,0x94,0x1C,0x22,0xBF,0xCB,0xC8,0xC8,0x57,0xCB,0xBF, - 0xBC,0x0E,0xE8,0x40,0xF9,0x87,0x03,0xBF,0x60,0x9B,0x08,0xC6, - 0x8E,0x99,0xC6,0x05,0xFC,0x00,0xD6,0x6D,0x90,0xA8,0xF5,0xF8, - 0xD3,0x8D,0x43,0xC8,0x8F,0x7A,0xBD,0xBB,0x28,0xAC,0x04,0x69, - 0x4A,0x0B,0x86,0x73,0x37,0xF0,0x6D,0x4F,0x04,0xF6,0xF5,0xAF, - 0xBF,0xAB,0x8E,0xCE,0x75,0x53,0x4D,0x7F,0x7D,0x17,0x78,0x0E, - 0x12,0x46,0x4A,0xAF,0x95,0x99,0xEF,0xBC,0xA6,0xC5,0x41,0x77, - 0x43,0x7A,0xB9,0xEC,0x8E,0x07,0x3C,0x6D, + static unsigned char dh2048_p[] = { + 0x00,0xdc,0x21,0x64,0x56,0xbd,0x9c,0xb2,0xac,0xbe,0xc9,0x98,0xef,0x95,0x3e, + 0x26,0xfa,0xb5,0x57,0xbc,0xd9,0xe6,0x75,0xc0,0x43,0xa2,0x1c,0x7a,0x85,0xdf, + 0x34,0xab,0x57,0xa8,0xf6,0xbc,0xf6,0x84,0x7d,0x05,0x69,0x04,0x83,0x4c,0xd5, + 0x56,0xd3,0x85,0x09,0x0a,0x08,0xff,0xb5,0x37,0xa1,0xa3,0x8a,0x37,0x04,0x46, + 0xd2,0x93,0x31,0x96,0xf4,0xe4,0x0d,0x9f,0xbd,0x3e,0x7f,0x9e,0x4d,0xaf,0x08, + 0xe2,0xe8,0x03,0x94,0x73,0xc4,0xdc,0x06,0x87,0xbb,0x6d,0xae,0x66,0x2d,0x18, + 0x1f,0xd8,0x47,0x06,0x5c,0xcf,0x8a,0xb5,0x00,0x51,0x57,0x9b,0xea,0x1e,0xd8, + 0xdb,0x8e,0x3c,0x1f,0xd3,0x2f,0xba,0x1f,0x5f,0x3d,0x15,0xc1,0x3b,0x2c,0x82, + 0x42,0xc8,0x8c,0x87,0x79,0x5b,0x38,0x86,0x3a,0xeb,0xfd,0x81,0xa9,0xba,0xf7, + 0x26,0x5b,0x93,0xc5,0x3e,0x03,0x30,0x4b,0x00,0x5c,0xb6,0x23,0x3e,0xea,0x94, + 0xc3,0xb4,0x71,0xc7,0x6e,0x64,0x3b,0xf8,0x92,0x65,0xad,0x60,0x6c,0xd4,0x7b, + 0xa9,0x67,0x26,0x04,0xa8,0x0a,0xb2,0x06,0xeb,0xe0,0x7d,0x90,0xdd,0xdd,0xf5, + 0xcf,0xb4,0x11,0x7c,0xab,0xc1,0xa3,0x84,0xbe,0x27,0x77,0xc7,0xde,0x20,0x57, + 0x66,0x47,0xa7,0x35,0xfe,0x0d,0x6a,0x1c,0x52,0xb8,0x58,0xbf,0x26,0x33,0x81, + 0x5e,0xb7,0xa9,0xc0,0xee,0x58,0x11,0x74,0x86,0x19,0x08,0x89,0x1c,0x37,0x0d, + 0x52,0x47,0x70,0x75,0x8b,0xa8,0x8b,0x30,0x11,0x71,0x36,0x62,0xf0,0x73,0x41, + 0xee,0x34,0x9d,0x0a,0x2b,0x67,0x4e,0x6a,0xa3,0xe2,0x99,0x92,0x1b,0xf5,0x32, + 0x73,0x63 }; - static unsigned char dh1024_g[] = { + static unsigned char dh2048_g[] = { 0x02, }; DH *dh; @@ -938,8 +945,8 @@ } Error("DH_new() failed"); } else { - dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); - dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); if ((dh->p == NULL) || (dh->g == NULL)) { while (err = ERR_get_error()) { Warn1("BN_bin2bn(): %s",
