Control: tags 702267 + patch Hi Michal
On Thu, Apr 18, 2013 at 08:35:10AM +0200, Michal Trojnara wrote: > This is a security vulnerability that may result in remote code > execution. It should be fixed immediately. > > Current stunnel Debian package is based on stunnel 4.53. This upstream > version is over a year old. > > Please update the package to stunnel 4.56. This version seems to be > very stable. Unfortunately stunnel4 package cannot be updated to latest upstream version due to the freeze and wheezy beeing relased very soon. So the version based on 4.53 needs to be patched. I tried to extract the correspondig diff from 5.54 to 4.55 also based on what Red Hat did[1]. [1]: http://rhn.redhat.com/errata/RHSA-2013-0714.html Does this looks good form your upstream point of view on it? Luis, can you work on it, else I can prepare the NMU as per debdiff. Regards, Salvatore
Description: Fix CVE-2013-1762 buffer overflow in TLM authentication of the CONNECT protocol negotiation Origin: vendor Bug-Debian: http://bugs.debian.org/702267 Forwarded: no Author: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2013-04-22 --- a/src/protocol.c +++ b/src/protocol.c @@ -566,7 +566,7 @@ #define s_min(a, b) ((a)>(b)?(b):(a)) static void ntlm(CLI *c) { - char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt; + char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr; long content_length=0; /* no HTTP content */ /* send Proxy-Authorization (phase 1) */ @@ -582,8 +582,8 @@ line=fd_getline(c, c->remote_fd.fd); /* receive Proxy-Authenticate (phase 2) */ - if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */ - s_log(LOG_ERR, "NTLM authorization request rejected"); + if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) { + s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected"); do { /* read all headers */ line=fd_getline(c, c->remote_fd.fd); } while(*line); @@ -594,8 +594,13 @@ line=fd_getline(c, c->remote_fd.fd); if(isprefix(line, "Proxy-Authenticate: NTLM ")) ntlm2_txt=str_dup(line+25); - else if(isprefix(line, "Content-Length: ")) - content_length=atol(line+16); + else if(isprefix(line, "Content-Length: ")) { + content_length=strtol(line+16, &tmpstr, 10); + if(tmpstr==line+16 || *tmpstr || content_length<0) { + s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length"); + longjmp(c->err, 1); + } + } } while(*line); if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */ s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found"); @@ -603,7 +608,7 @@ } /* read and ignore HTTP content (if any) */ - while(content_length) { + while(content_length>0) { read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ)); content_length-=s_min(content_length, BUFSIZ); }
diff -Nru stunnel4-4.53/debian/changelog stunnel4-4.53/debian/changelog --- stunnel4-4.53/debian/changelog 2012-06-03 20:34:36.000000000 +0200 +++ stunnel4-4.53/debian/changelog 2013-04-22 19:57:42.000000000 +0200 @@ -1,3 +1,12 @@ +stunnel4 (3:4.53-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1762.patch patch. + CVE-2013-1762: Fix buffer overflow in TLM authentication of the CONNECT + protocol negotiation. (Closes: #702267) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 22 Apr 2013 19:47:34 +0200 + stunnel4 (3:4.53-1) unstable; urgency=low * New upstream version 4.53. diff -Nru stunnel4-4.53/debian/patches/CVE-2013-1762.patch stunnel4-4.53/debian/patches/CVE-2013-1762.patch --- stunnel4-4.53/debian/patches/CVE-2013-1762.patch 1970-01-01 01:00:00.000000000 +0100 +++ stunnel4-4.53/debian/patches/CVE-2013-1762.patch 2013-04-22 19:57:42.000000000 +0200 @@ -0,0 +1,56 @@ +Description: Fix CVE-2013-1762 + buffer overflow in TLM authentication of the CONNECT protocol + negotiation +Origin: vendor +Bug-Debian: http://bugs.debian.org/702267 +Forwarded: no +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-04-22 + +--- a/src/protocol.c ++++ b/src/protocol.c +@@ -566,7 +566,7 @@ + #define s_min(a, b) ((a)>(b)?(b):(a)) + + static void ntlm(CLI *c) { +- char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt; ++ char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr; + long content_length=0; /* no HTTP content */ + + /* send Proxy-Authorization (phase 1) */ +@@ -582,8 +582,8 @@ + line=fd_getline(c, c->remote_fd.fd); + + /* receive Proxy-Authenticate (phase 2) */ +- if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */ +- s_log(LOG_ERR, "NTLM authorization request rejected"); ++ if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) { ++ s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected"); + do { /* read all headers */ + line=fd_getline(c, c->remote_fd.fd); + } while(*line); +@@ -594,8 +594,13 @@ + line=fd_getline(c, c->remote_fd.fd); + if(isprefix(line, "Proxy-Authenticate: NTLM ")) + ntlm2_txt=str_dup(line+25); +- else if(isprefix(line, "Content-Length: ")) +- content_length=atol(line+16); ++ else if(isprefix(line, "Content-Length: ")) { ++ content_length=strtol(line+16, &tmpstr, 10); ++ if(tmpstr==line+16 || *tmpstr || content_length<0) { ++ s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length"); ++ longjmp(c->err, 1); ++ } ++ } + } while(*line); + if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */ + s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found"); +@@ -603,7 +608,7 @@ + } + + /* read and ignore HTTP content (if any) */ +- while(content_length) { ++ while(content_length>0) { + read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ)); + content_length-=s_min(content_length, BUFSIZ); + } diff -Nru stunnel4-4.53/debian/patches/series stunnel4-4.53/debian/patches/series --- stunnel4-4.53/debian/patches/series 2012-06-03 19:56:15.000000000 +0200 +++ stunnel4-4.53/debian/patches/series 2013-04-22 19:57:42.000000000 +0200 @@ -4,3 +4,4 @@ selective_tunnel_restart logrotate_warning_in_sample_conf init_script_description +CVE-2013-1762.patch
