Bug #1756870 “[MIR] socat” : Bugs : socat package : Ubuntu

Francis Ginther (fginther) on 2018-03-19

tags:

added: id-5a382bce76f6b2c4a57705a0

Revision history for this message

Mathieu Trudel-Lapierre (cyphermox) wrote on 2018-03-28:

#1

At a glance, the tests should be runnable; please enable them if possible.

Given the use of OpenSSL, and previous issues with DH length, let's have this reviewed by the Security team.

Changed in socat (Ubuntu):
assignee:	nobody → Ubuntu Security Team (ubuntu-security)
status:	New → Incomplete

Revision history for this message

Julian Andres Klode (juliank) wrote on 2018-04-04:

#2

Uploaded socat with tests enabled (most of them, some fail due to OpenSSL 1.1 and cipher negotiation restrictions in there)

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-04-06:

#3

BTW, the 'justification' in this bug (socat) is accidentally copied from the pv bug. Could you update this to say why socat is desired at the moment?

Thanks

Revision history for this message

Julian Andres Klode (juliank) wrote on 2018-04-11:

#4

The argument is the same, both are needed for GKE stuff. Apparently for some proxying stuff or something.

description:	updated
Changed in socat (Ubuntu):
status:	Incomplete → New

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-04-20:

#5

Download full text (4.1 KiB)

I reviewed socat version 1.7.3.2-2build1 as checked into Bionic. This
shouldn't be considered a full security audit but rather a quick gauge of
reliability.

socat is all-purpose fd / socket / pipe manipulator tool. It's either a
very deft way to quickly and easily solve a problem or a very high-powered
footgun. Proper programmatic use of socat looks *extremely* difficult due
to magic environment variables, easy ability to execute other programs,
and general flexibility.

There are six CVEs against socat currently in our database; some of these
might legitimately have been deemed "not a security issue" due to threat
models but were handled all the same. One particularly embarrassing CVE
included a composite DH parameter. The faulty parameter was available for
roughly a year. This incident served as a reminder to the wider community
that open source software is vulnerable to malicious contributions the
same as proprietary products; I'm glad the socat team were honest.

- Build-Depends: debhelper, libssl-dev, libwrap0-dev
- Offers cryptography
- Does not daemonize (daemon.sh shell script just backgrounds the task
from the shell)
- Listens to nearly every networking protocol, interface, etc
- No pre/post inst/rm scripts
- No init scripts
- No systemd unit files
- No dbus services
- No setuid files
- socat, procan, and filan programs in PATH
- No sudo fragments
- No udev rules
- There's tests but not run as part of the package build, unknown value
- No cron jobs
- Some deprecation warnings in the build logs

- Subprocesses are spawned, driven by command line parameters if they go
  through system() or execve() (SYSTEM: and EXEC: methods)
- Some memory management was careful, some was 80s-style use of
  static-sized buffers and "knowing" that inputs won't overflow these
  buffers. The few cases of unsafe buffer use that I chased down all had
  static strings as inputs, and thus looked safe. But several CVEs address
  this very issue.
- Files are written too, driven by command line parameters
- Logging is extensive, including strace-style wrappers around every
  system call and library function used. Can also log through syslog.
- Extensive environment variable manipulation and use. The manpage
  describes the full range of environment variables and how they are used.
  The few that I inspected looked safe. Applications that use socat
  without being aware of environment use will probably have security
  vulnerabilities.
- Extensive use of ioctls, fchown, chroot, setgroups, setgid, setuid,
  chmod, chown; some driven by command line options (so calling programs
  MUST NOT allow unauthenticated unsanitized input here)
- Extensive use of cryptography -- can be configured to ignore or perform
  certificate validation, fake results, etc.
- Extensive networking
- Code that drops privileges looked careful
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKit
- cppcheck reports real bugs but most would kill the build, though

socat is difficult choice. Its utility is obvious, and I've used it dozens
of times to solve little problems over the years. But so much of the code
relies upon being perfect C programmers for safety rather than using
de...

I reviewed socat version 1.7.3.2-2build1 as checked into Bionic. This
shouldn't be considered a full security audit but rather a quick gauge of
reliability.

socat is all-purpose fd / socket / pipe manipulator tool. It's either a
very deft way to quickly and easily solve a problem or a very high-powered
footgun. Proper programmatic use of socat looks *extremely* difficult due
to magic environment variables, easy ability to execute other programs,
and general flexibility.

There are six CVEs against socat currently in our database; some of these
might legitimately have been deemed "not a security issue" due to threat
models but were handled all the same. One particularly embarrassing CVE
included a composite DH parameter. The faulty parameter was available for
roughly a year. This incident served as a reminder to the wider community
that open source software is vulnerable to malicious contributions the
same as proprietary products; I'm glad the socat team were honest.

- Build-Depends: debhelper, libssl-dev, libwrap0-dev
- Offers cryptography
- Does not daemonize (daemon.sh shell script just backgrounds the task
  from the shell)
- Listens to nearly every networking protocol, interface, etc
- No pre/post inst/rm scripts
- No init scripts
- No systemd unit files
- No dbus services
- No setuid files
- socat, procan, and filan programs in PATH
- No sudo fragments
- No udev rules
- There's tests but not run as part of the package build, unknown value
- No cron jobs
- Some deprecation warnings in the build logs

- Subprocesses are spawned, driven by command line parameters if they go
  through system() or execve() (SYSTEM: and EXEC: methods)
- Some memory management was careful, some was 80s-style use of
  static-sized buffers and "knowing" that inputs won't overflow these
  buffers. The few cases of unsafe buffer use that I chased down all had
  static strings as inputs, and thus looked safe. But several CVEs address
  this very issue.
- Files are written too, driven by command line parameters
- Logging is extensive, including strace-style wrappers around every
  system call and library function used. Can also log through syslog.
- Extensive environment variable manipulation and use. The manpage
  describes the full range of environment variables and how they are used.
  The few that I inspected looked safe. Applications that use socat
  without being aware of environment use will probably have security
  vulnerabilities.
- Extensive use of ioctls, fchown, chroot, setgroups, setgid, setuid,
  chmod, chown; some driven by command line options (so calling programs
  MUST NOT allow unauthenticated unsanitized input here)
- Extensive use of cryptography -- can be configured to ignore or perform
  certificate validation, fake results, etc.
- Extensive networking
- Code that drops privileges looked careful
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKit
- cppcheck reports real bugs but most would kill the build, though

socat is difficult choice. Its utility is obvious, and I've used it dozens
of times to solve little problems over the years. But so much of the code
relies upon being perfect C programmers for safety rather than using
defensive coding styles. (Very few routines that work on memory buffers
take the buffer size as a parameter, for example.)

And the collection of #ifdefs to work on dozens of no-longer-mainstream
OSes certainly complicate reading and understanding the code. (Which is
why cppcheck reports many configurations that can't possibly compile.)

Any program that uses socat MUST be very careful. It's got a much larger
attack surface than e.g. nc. If nc can solve a problem as well as socat,
then nc should be preferred. But socat can handle millions of cases that
netcat cannot handle.

Some tips for application authors:
- Do not allow dynamic input to be used as command line arguments
- Do not allow dynamic input to be used as environment variables
Trying to sanitize dynamic inputs for these uses would be challenging.

Security team ACK for promoting socat to main.

This looked like a bug:

- xiosetsockaddrenv() is the strcpy() here intentional:
     case PF_INET6:
        strcpy(namebuff, lr);

Thanks

Changed in socat (Ubuntu):
assignee:	Ubuntu Security Team (ubuntu-security) → nobody

Revision history for this message

Matthias Klose (doko) wrote on 2018-04-24:

#6

Override component to main
socat 1.7.3.2-2ubuntu2 in bionic: universe/net -> main
socat 1.7.3.2-2ubuntu2 in bionic amd64: universe/net/extra/100% -> main
socat 1.7.3.2-2ubuntu2 in bionic arm64: universe/net/extra/100% -> main
socat 1.7.3.2-2ubuntu2 in bionic armhf: universe/net/extra/100% -> main
socat 1.7.3.2-2ubuntu2 in bionic i386: universe/net/extra/100% -> main
socat 1.7.3.2-2ubuntu2 in bionic ppc64el: universe/net/extra/100% -> main
socat 1.7.3.2-2ubuntu2 in bionic s390x: universe/net/extra/100% -> main
7 publications overridden.

Changed in socat (Ubuntu):
status:	New → Fix Released

Ubuntu
socat package

[MIR] socat

Bug Description

Other bug subscribers

Remote bug watches

Ubuntusocat package

[MIR] socat

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
socat package