Version 1.8.0.2 - CVE-2024-54661: Arbitrary file overwrite in readline.sh

This commit is contained in:
Gerhard Rieger 2024-12-06 11:42:09 +01:00
parent 6ff391324d
commit 4ee1f31cf8
6 changed files with 91 additions and 5 deletions

17
CHANGES
View file

@ -1,4 +1,21 @@
 
####################### V 1.8.0.2:
Security:
Socat security advisory 9
CVE-2024-54661: Arbitrary file overwrite
Socat 1.6.0.0 through 1.8.0.1 and version 2 distributions contain a
wrapper script "readline.sh" that uses a predictable temporary
directory, allowing unprivileged users to overwrite arbitrary files
belonging to the scripts caller.
This is fixed in Version 1.8.0.2
Mitigating factors: readline.sh is usually neither installed in a bin
directory nor is it documented. Major Linux distributions install it in
examples/ or doc/; however it is invoked by test.sh script.
Thanks to Wolfgang Frisch from SuSE for finding and reporting this
issue.
Test: READLINE_SH_OVERWRITE
####################### V 1.8.0.1: ####################### V 1.8.0.1:
Corrections: Corrections:

2
README
View file

@ -63,7 +63,7 @@ install
Get the tarball and extract it: Get the tarball and extract it:
tar xzf socat.tar.gz tar xzf socat.tar.gz
cd socat-1.8.0.1 cd socat-1.8.0.2
./configure ./configure
make make
su su

View file

@ -1 +1 @@
"1.8.0.1" "1.8.0.2"

View file

@ -22,9 +22,15 @@ if [ "$withhistfile" ]; then
else else
HISTOPT= HISTOPT=
fi fi
mkdir -p /tmp/$USER || exit 1
# #
# #
exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2 if test -w .; then
STDERR=./socat-readline.${1##*/}.log
rm -f $STDERR
else
STDERR=/dev/null
fi
exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR

View file

@ -1,6 +1,6 @@
%define majorver 1.8 %define majorver 1.8
%define minorver 0.0 %define minorver 0.2
Summary: socat - multipurpose relay Summary: socat - multipurpose relay
Name: socat Name: socat

63
test.sh
View file

@ -20349,6 +20349,69 @@ DCCP-CONNECT dccp4 PORT
" "
# Test the readline.sh file overwrite vulnerability
NAME=READLINE_SH_OVERWRITE
case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%readline%*|*%security%*|*%$NAME%*)
TEST="$NAME: Test the readline.sh file overwrite vulnerability"
# Create a symlink /tmp/$USER/stderr2 pointing to a temporary file,
# run readline.sh
# When the temporary file is kept the test succeeded
if ! eval $NUMCOND; then :
elif ! cond=$(checkconds \
"" \
"" \
"readline.sh" \
"" \
"" \
"" \
"" ); then
$PRINTF "test $F_n $TEST... ${YELLOW}$cond${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
namesCANT="$namesCANT $NAME"
else
tf="$td/test$N.file"
te="$td/test$N.stderr"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
echo "$da" >"$tf"
ln -sf "$tf" /tmp/$USER/stderr2
CMD0="readline.sh cat"
printf "test $F_n $TEST... " $N
$CMD0 </dev/null >/dev/null 2>"${te}0"
rc0=$?
# if [ "$rc0" -ne 0 ]; then
# $PRINTF "$CANT (rc0=$rc0)\n"
# echo "$CMD0"
# cat "${te}0" >&2
# numCANT=$((numCANT+1))
# listCANT="$listCANT $N"
# namesCANT="$namesCANT $NAME"
# elif ! echo "$da" |diff - "$tf" >$tdiff; then
if ! echo "$da" |diff - "$tf" >$tdiff; then
$PRINTF "$FAILED (diff)\n"
echo "$CMD0 &"
cat "${te}0" >&2
echo "// diff:" >&2
cat "$tdiff" >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
namesFAIL="$namesFAIL $NAME"
else
$PRINTF "$OK\n"
if [ "$VERBOSE" ]; then echo "$CMD0 &"; fi
if [ "$DEBUG" ]; then cat "${te}0" >&2; fi
if [ "$VERBOSE" ]; then echo "$CMD1"; fi
if [ "$DEBUG" ]; then cat "${te}1" >&2; fi
numOK=$((numOK+1))
listOK="$listOK $N"
fi
fi # NUMCOND
;;
esac
N=$((N+1))
# end of common tests # end of common tests
################################################################################## ##################################################################################