[18197] in bugtraq
Complete list of Stunnel vulnerabilities
daemon@ATHENA.MIT.EDU (Brian Hatch)
Tue Dec 19 21:06:23 2000
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="GA5jH4yfUe2bmJec"
Content-Disposition: inline
Message-Id: <20001218214729.T10217@ifokr.org>
Date: Mon, 18 Dec 2000 21:47:29 -0800
Reply-To: Brian Hatch <bri@STUNNEL.ORG>
From: Brian Hatch <bri@STUNNEL.ORG>
X-To: Lez <lez@SCH.BME.HU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.96.1001218154211.2583A-100000@lez>; from
lez@SCH.BME.HU on Mon, Dec 18, 2000 at 04:58:29PM +0100
--GA5jH4yfUe2bmJec
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> We have recently discovered a format bug in stunnel<= 3.8 in which the
> log() function calls directly the syslog() with only two parameters:
> syslog(level, text). It should be syslog(level, "%s", text).
This was fixed in stunnel version 3.9. I was actually writing up an
advisory to cover all the thing that were fixed since 3.8, but since
you brought it up here they are in a terribly uninteresting format:
1) stunnel-3.8 and previous did not properly seed the PRNG.
This could lead to weak encryption on machines that
lack /dev/urandom (such as Solaris, Windows, etc.
BSD's, and Linux for example were not affected.)
2) stunnel-3.8 and previous had insecure pid file creation,
and was thus vulnerable to symlink games. (Ability
to overwrite any file on the system. Since stunnel
is usually used to bind low ports, stunnel was usually
run as root, and this was potentially very damaging.)
3) stunnel-3.8p4 and previous were affected by the afformeantioned
format string bug. (And shame on me for not catching it during
my audit.)
4) stunnel-3.8p4 and previous was not entirely thread-safe.
(Only informational counters were affected by this,
nothing security or functional related.)
Everyone should upgrade to stunnel version 3.9 or later immediately.
Stunnel-3.9 was released December 13th, 2000. It is Available at
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz
Stunnel-3.10 is slated for release soon. It is a functional
release, and does not contain any additional security
related changes.
To report a bug in stunnel, please email the maintainer,
Michal Trojnara <Michal.Trojnara@mirt.net>, and the stunnel
FAQ maintainer, Brian Hatch <bri@stunnel.org>.
--
Brian Hatch Madness takes it's
Systems and toll. Please have
Security Engineer exact change ready.
http://www.onsight.com/
Every message PGP signed
--GA5jH4yfUe2bmJec
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEVAwUBOj719R8p5387mX4VAQGrWQf+MJ7ubD1MKl4/D9ytufobJEc5V4fxsQiG
1tLbImVhFRn6QQUTkRRVmUo+4qJWNDNTZzPYFwgstGH16nCfng/StpceRvSRUizg
VN9/Gz0ej0JydtqnzJDZt+SI6aZyMoGS9q8zQ12UzOfuMi5Dpk4MT0DjDXmOdeaN
tXQYKd6lQ76ReBXXDAhIwyIEQLugfW+i/eLSuuGWTVMmbfRXCkatLsCtlTuNU+9i
18yu+5OgvyvRqvz5JUkU6QzqcToUTdq6T5P6GB6R99Ds6bRd65mBaNj7OBRPmhmi
q4AoKbaatUxeXvMfdvaMnUsVByy+ZS3oNxI3x3TQBypdL0irZN1dBw==
=87Iu
-----END PGP SIGNATURE-----
--GA5jH4yfUe2bmJec--
