Processed: Re: Bug#702267: Security update is pending
Processing control commands: tags 702267 + patch Bug #702267 [stunnel] stunnel: CVE-2013-1762 buffer overflow in TLM authentication of the CONNECT protocol negotiation Added tag(s) patch. -- 702267: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702267 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702267: Security update is pending
Control: tags 702267 + patch
Hi Michal
On Thu, Apr 18, 2013 at 08:35:10AM +0200, Michal Trojnara wrote:
This is a security vulnerability that may result in remote code
execution. It should be fixed immediately.
Current stunnel Debian package is based on stunnel 4.53. This upstream
version is over a year old.
Please update the package to stunnel 4.56. This version seems to be
very stable.
Unfortunately stunnel4 package cannot be updated to latest upstream
version due to the freeze and wheezy beeing relased very soon. So the
version based on 4.53 needs to be patched.
I tried to extract the correspondig diff from 5.54 to 4.55 also based
on what Red Hat did[1].
[1]: http://rhn.redhat.com/errata/RHSA-2013-0714.html
Does this looks good form your upstream point of view on it?
Luis, can you work on it, else I can prepare the NMU as per debdiff.
Regards,
Salvatore
Description: Fix CVE-2013-1762
buffer overflow in TLM authentication of the CONNECT protocol
negotiation
Origin: vendor
Bug-Debian: http://bugs.debian.org/702267
Forwarded: no
Author: Salvatore Bonaccorso car...@debian.org
Last-Update: 2013-04-22
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -566,7 +566,7 @@
#define s_min(a, b) ((a)(b)?(b):(a))
static void ntlm(CLI *c) {
-char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt;
+char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr;
long content_length=0; /* no HTTP content */
/* send Proxy-Authorization (phase 1) */
@@ -582,8 +582,8 @@
line=fd_getline(c, c-remote_fd.fd);
/* receive Proxy-Authenticate (phase 2) */
-if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */
-s_log(LOG_ERR, NTLM authorization request rejected);
+if(!isprefix(line, HTTP/1.0 407) !isprefix(line, HTTP/1.1 407)) {
+s_log(LOG_ERR, Proxy-Authenticate: NTLM authorization request rejected);
do { /* read all headers */
line=fd_getline(c, c-remote_fd.fd);
} while(*line);
@@ -594,8 +594,13 @@
line=fd_getline(c, c-remote_fd.fd);
if(isprefix(line, Proxy-Authenticate: NTLM ))
ntlm2_txt=str_dup(line+25);
-else if(isprefix(line, Content-Length: ))
-content_length=atol(line+16);
+else if(isprefix(line, Content-Length: )) {
+content_length=strtol(line+16, tmpstr, 10);
+if(tmpstr==line+16 || *tmpstr || content_length0) {
+s_log(LOG_ERR, Proxy-Authenticate: Invalid Content-Length);
+longjmp(c-err, 1);
+}
+}
} while(*line);
if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */
s_log(LOG_ERR, Proxy-Authenticate: NTLM header not found);
@@ -603,7 +608,7 @@
}
/* read and ignore HTTP content (if any) */
-while(content_length) {
+while(content_length0) {
read_blocking(c, c-remote_fd.fd, buf, s_min(content_length, BUFSIZ));
content_length-=s_min(content_length, BUFSIZ);
}
diff -Nru stunnel4-4.53/debian/changelog stunnel4-4.53/debian/changelog
--- stunnel4-4.53/debian/changelog 2012-06-03 20:34:36.0 +0200
+++ stunnel4-4.53/debian/changelog 2013-04-22 19:57:42.0 +0200
@@ -1,3 +1,12 @@
+stunnel4 (3:4.53-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add CVE-2013-1762.patch patch.
+CVE-2013-1762: Fix buffer overflow in TLM authentication of the CONNECT
+protocol negotiation. (Closes: #702267)
+
+ -- Salvatore Bonaccorso car...@debian.org Mon, 22 Apr 2013 19:47:34 +0200
+
stunnel4 (3:4.53-1) unstable; urgency=low
* New upstream version 4.53.
diff -Nru stunnel4-4.53/debian/patches/CVE-2013-1762.patch
stunnel4-4.53/debian/patches/CVE-2013-1762.patch
--- stunnel4-4.53/debian/patches/CVE-2013-1762.patch1970-01-01
01:00:00.0 +0100
+++ stunnel4-4.53/debian/patches/CVE-2013-1762.patch2013-04-22
19:57:42.0 +0200
@@ -0,0 +1,56 @@
+Description: Fix CVE-2013-1762
+ buffer overflow in TLM authentication of the CONNECT protocol
+ negotiation
+Origin: vendor
+Bug-Debian: http://bugs.debian.org/702267
+Forwarded: no
+Author: Salvatore Bonaccorso car...@debian.org
+Last-Update: 2013-04-22
+
+--- a/src/protocol.c
b/src/protocol.c
+@@ -566,7 +566,7 @@
+ #define s_min(a, b) ((a)(b)?(b):(a))
+
+ static void ntlm(CLI *c) {
+-char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt;
++char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr;
+ long content_length=0; /* no HTTP content */
+
+ /* send Proxy-Authorization (phase 1) */
+@@ -582,8 +582,8 @@
+ line=fd_getline(c, c-remote_fd.fd);
+
+ /* receive Proxy-Authenticate (phase 2) */
+-if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */
+-s_log(LOG_ERR, NTLM authorization request rejected);
++if(!isprefix(line, HTTP/1.0 407) !isprefix(line, HTTP/1.1 407)) {
++s_log(LOG_ERR, Proxy-Authenticate: NTLM authorization
Bug#702267: Security update is pending
Thank you very very much for this, Salvatore. Please prepare the NMU, but hold off on it for upstream's opinion. Also, please try to engage the security team. Unless you're part of it, of course ;-) On Apr 22, 2013, at 11:02 AM, Salvatore Bonaccorso wrote: Control: tags 702267 + patch Hi Michal On Thu, Apr 18, 2013 at 08:35:10AM +0200, Michal Trojnara wrote: This is a security vulnerability that may result in remote code execution. It should be fixed immediately. Current stunnel Debian package is based on stunnel 4.53. This upstream version is over a year old. Please update the package to stunnel 4.56. This version seems to be very stable. Unfortunately stunnel4 package cannot be updated to latest upstream version due to the freeze and wheezy beeing relased very soon. So the version based on 4.53 needs to be patched. I tried to extract the correspondig diff from 5.54 to 4.55 also based on what Red Hat did[1]. [1]: http://rhn.redhat.com/errata/RHSA-2013-0714.html Does this looks good form your upstream point of view on it? Luis, can you work on it, else I can prepare the NMU as per debdiff. Regards, Salvatore CVE-2013-1762.patchstunnel4_4.53-1.1.debdiff -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702267: Security update is pending
On 2013-04-22 20:02, Salvatore Bonaccorso wrote: Unfortunately stunnel4 package cannot be updated to latest upstream version due to the freeze and wheezy beeing relased very soon. So the version based on 4.53 needs to be patched. I think the patch correctly addresses this specific security issue. On the other hand 4.53 is outdated and it lacks several important stability bugfixes I implemented during the last year, e.g. half-close handling, signal handling, memory leaks, file descriptor leaks, and randoms stalls in libwrap support. I would really love 4.56 to make it into wheezy, or *at least* into sid. It's a pity Debian users cannot benefit from numerous hours of my work spent improving stunnel. http://www.stunnel.org/sdf_ChangeLog.html Best regards, Michal Trojnara signature.asc Description: OpenPGP digital signature
Bug#702267: Security update is pending
Hi Michal, hi Luis On Mon, Apr 22, 2013 at 08:44:25PM +0200, Michal Trojnara wrote: On 2013-04-22 20:02, Salvatore Bonaccorso wrote: Unfortunately stunnel4 package cannot be updated to latest upstream version due to the freeze and wheezy beeing relased very soon. So the version based on 4.53 needs to be patched. I think the patch correctly addresses this specific security issue. Thank you for confirming this. On the other hand 4.53 is outdated and it lacks several important stability bugfixes I implemented during the last year, e.g. half-close handling, signal handling, memory leaks, file descriptor leaks, and randoms stalls in libwrap support. I would really love 4.56 to make it into wheezy, or *at least* into sid. It's a pity Debian users cannot benefit from numerous hours of my work spent improving stunnel. http://www.stunnel.org/sdf_ChangeLog.html Really understandable! Unfortunately it's really too late now to get this into wheezy (wheezy is planned to be released on 4th or 5th may, see, [1]). [1]: http://lists.debian.org/debian-devel-announce/2013/04/msg6.html I suggest, that as soon wheezy is released the new upstream version can be packaged and uploaded to unstable. Luis? ;-) It is really appreciated that you reply also on downstream bugreports, thats great! Thank you very much for your quick followups. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702267: Security update is pending
Hi, This is a security vulnerability that may result in remote code execution. It should be fixed immediately. Current stunnel Debian package is based on stunnel 4.53. This upstream version is over a year old. Please update the package to stunnel 4.56. This version seems to be very stable. Best regards, Michal Trojnara signature.asc Description: OpenPGP digital signature
