stunnel: CVE-2013-1762 buffer overflow in NTLM authentication of the CONNECT protocol negotiation

Debian Bug report logs - #702267
stunnel: CVE-2013-1762 buffer overflow in NTLM authentication of the CONNECT protocol negotiation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: stunnel: CVE-2013-1762 buffer overflow in TLM authentication of the CONNECT protocol negotiation

Date: Mon, 4 Mar 2013 17:17:18 +0100

[Message part 1 (text/plain, inline)]

Package: stunnel
Severity: grave
Tags: security

Hi,
the following vulnerability was published for stunnel.

Please see https://www.stunnel.org/CVE-2013-1762.html for details.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1762
    http://security-tracker.debian.org/tracker/CVE-2013-1762

Please adjust the affected versions in the BTS as needed.


-- 
Nico Golde - XMPP: nion@jabber.ccc.de - GPG: 0xA0A0AAAA

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 702267@bugs.debian.org (full text, mbox, reply):

From: Michal Trojnara <Michal.Trojnara@mirt.net>

To: 702267@bugs.debian.org

Subject: Security update is pending

Date: Thu, 18 Apr 2013 08:35:10 +0200

[Message part 1 (text/plain, inline)]

Hi,

This is a security vulnerability that may result in remote code
execution.  It should be fixed immediately.

Current stunnel Debian package is based on stunnel 4.53.  This upstream
version is over a year old.

Please update the package to stunnel 4.56.  This version seems to be
very stable.

Best regards,
    Michal Trojnara

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 702267@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michal Trojnara <Michal.Trojnara@mirt.net>, 702267@bugs.debian.org

Subject: Re: Bug#702267: Security update is pending

Date: Mon, 22 Apr 2013 20:02:18 +0200

[Message part 1 (text/plain, inline)]

Control: tags 702267 + patch

Hi Michal

On Thu, Apr 18, 2013 at 08:35:10AM +0200, Michal Trojnara wrote:
> This is a security vulnerability that may result in remote code
> execution.  It should be fixed immediately.
> 
> Current stunnel Debian package is based on stunnel 4.53.  This upstream
> version is over a year old.
> 
> Please update the package to stunnel 4.56.  This version seems to be
> very stable.

Unfortunately stunnel4 package cannot be updated to latest upstream
version due to the freeze and wheezy beeing relased very soon. So the
version based on 4.53 needs to be patched.

I tried to extract the correspondig diff from 5.54 to 4.55 also based
on what Red Hat did[1].

 [1]: http://rhn.redhat.com/errata/RHSA-2013-0714.html

Does this looks good form your upstream point of view on it?

Luis, can you work on it, else I can prepare the NMU as per debdiff.

Regards,
Salvatore

[CVE-2013-1762.patch (text/x-diff, attachment)]

[stunnel4_4.53-1.1.debdiff (text/plain, attachment)]

Message #30 received at 702267@bugs.debian.org (full text, mbox, reply):

From: Rodrigo Gallardo <rodrigo@nul-unu.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 702267@bugs.debian.org

Cc: Michal Trojnara <Michal.Trojnara@mirt.net>

Subject: Re: Bug#702267: Security update is pending

Date: Mon, 22 Apr 2013 11:12:15 -0700

Thank you very very much for this, Salvatore.

Please prepare the NMU, but hold off on it for upstream's opinion. Also, please try to engage the security team. Unless you're part of it, of course ;-)

On Apr 22, 2013, at 11:02 AM, Salvatore Bonaccorso wrote:

> Control: tags 702267 + patch
> 
> Hi Michal
> 
> On Thu, Apr 18, 2013 at 08:35:10AM +0200, Michal Trojnara wrote:
>> This is a security vulnerability that may result in remote code
>> execution.  It should be fixed immediately.
>> 
>> Current stunnel Debian package is based on stunnel 4.53.  This upstream
>> version is over a year old.
>> 
>> Please update the package to stunnel 4.56.  This version seems to be
>> very stable.
> 
> Unfortunately stunnel4 package cannot be updated to latest upstream
> version due to the freeze and wheezy beeing relased very soon. So the
> version based on 4.53 needs to be patched.
> 
> I tried to extract the correspondig diff from 5.54 to 4.55 also based
> on what Red Hat did[1].
> 
> [1]: http://rhn.redhat.com/errata/RHSA-2013-0714.html
> 
> Does this looks good form your upstream point of view on it?
> 
> Luis, can you work on it, else I can prepare the NMU as per debdiff.
> 
> Regards,
> Salvatore
> <CVE-2013-1762.patch><stunnel4_4.53-1.1.debdiff>

Message #35 received at 702267@bugs.debian.org (full text, mbox, reply):

From: Michal Trojnara <Michal.Trojnara@mirt.net>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 702267@bugs.debian.org

Subject: Re: Bug#702267: Security update is pending

Date: Mon, 22 Apr 2013 20:44:25 +0200

[Message part 1 (text/plain, inline)]

On 2013-04-22 20:02, Salvatore Bonaccorso wrote:
> Unfortunately stunnel4 package cannot be updated to latest upstream
> version due to the freeze and wheezy beeing relased very soon. So the
> version based on 4.53 needs to be patched.
I think the patch correctly addresses this specific security issue.

On the other hand 4.53 is outdated and it lacks several important
stability bugfixes I implemented during the last year, e.g. half-close
handling, signal handling, memory leaks, file descriptor leaks, and
randoms stalls in libwrap support.  I would really love 4.56 to make it
into wheezy, or *at least* into sid.  It's a pity Debian users cannot
benefit from numerous hours of my work spent improving stunnel.
http://www.stunnel.org/sdf_ChangeLog.html

Best regards,
    Michal Trojnara

[signature.asc (application/pgp-signature, attachment)]

Message #46 received at 702267@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michal Trojnara <Michal.Trojnara@mirt.net>

Cc: 702267@bugs.debian.org

Subject: Re: Bug#702267: Security update is pending

Date: Mon, 22 Apr 2013 21:35:52 +0200

Hi Michal, hi Luis

On Mon, Apr 22, 2013 at 08:44:25PM +0200, Michal Trojnara wrote:
> On 2013-04-22 20:02, Salvatore Bonaccorso wrote:
> > Unfortunately stunnel4 package cannot be updated to latest upstream
> > version due to the freeze and wheezy beeing relased very soon. So the
> > version based on 4.53 needs to be patched.
> I think the patch correctly addresses this specific security issue.

Thank you for confirming this.

> On the other hand 4.53 is outdated and it lacks several important
> stability bugfixes I implemented during the last year, e.g. half-close
> handling, signal handling, memory leaks, file descriptor leaks, and
> randoms stalls in libwrap support.  I would really love 4.56 to make it
> into wheezy, or *at least* into sid.  It's a pity Debian users cannot
> benefit from numerous hours of my work spent improving stunnel.
> http://www.stunnel.org/sdf_ChangeLog.html

Really understandable! Unfortunately it's really too late now to get
this into wheezy (wheezy is planned to be released on 4th or 5th may,
see, [1]).

 [1]: http://lists.debian.org/debian-devel-announce/2013/04/msg00006.html

I suggest, that as soon wheezy is released the new upstream version
can be packaged and uploaded to unstable. Luis? ;-)

It is really appreciated that you reply also on downstream bugreports,
thats great! Thank you very much for your quick followups.

Regards,
Salvatore

Message #51 received at 702267-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 702267-close@bugs.debian.org

Subject: Bug#702267: fixed in stunnel4 3:4.53-1.1

Date: Mon, 22 Apr 2013 21:16:42 +0000

Source: stunnel4
Source-Version: 3:4.53-1.1

We believe that the bug you reported is fixed in the latest version of
stunnel4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated stunnel4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 22 Apr 2013 19:47:34 +0200
Source: stunnel4
Binary: stunnel4
Architecture: source amd64
Version: 3:4.53-1.1
Distribution: unstable
Urgency: high
Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 stunnel4   - Universal SSL tunnel for network daemons
Closes: 702267
Changes: 
 stunnel4 (3:4.53-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2013-1762.patch patch.
     CVE-2013-1762: Fix buffer overflow in NTLM authentication of the CONNECT
     protocol negotiation. (Closes: #702267)
Checksums-Sha1: 
 4b9c83a9fcfb9f852df7fef11fa11d099f0a454a 1911 stunnel4_4.53-1.1.dsc
 aa808f8b37dd7602555111a7334f7daf2066a90b 32834 stunnel4_4.53-1.1.debian.tar.gz
 5aeaa7aed02ff1038a6892b6f2c7aa9fe5769a71 178460 stunnel4_4.53-1.1_amd64.deb
Checksums-Sha256: 
 9c6d4a47a42eb8ae24a51b04f24c14d0ffe36b824bda0e8cf2771dc9500b118c 1911 stunnel4_4.53-1.1.dsc
 c00f52dfeaef48e41f7065e99575cfe7ac8be5ea21ab7dab0e0c464a08a753da 32834 stunnel4_4.53-1.1.debian.tar.gz
 7d2c5751f994e6f7f99585aee3da42af80ae0058e1eac5413f6704bd0d814e41 178460 stunnel4_4.53-1.1_amd64.deb
Files: 
 b3ee7b47c0f1f41a70935ac2ffa53391 1911 net optional stunnel4_4.53-1.1.dsc
 dba1136ca101247a08e009a2fe63476b 32834 net optional stunnel4_4.53-1.1.debian.tar.gz
 8bf9a88ac93838a9eef40831c9d77a37 178460 net optional stunnel4_4.53-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRdZOxAAoJEHidbwV/2GP+VAcP/0aSHSwWDy70vuJjW9WpDVi7
ZGCJ3kRao76lXehwJpkpBAINH5j1z/MsMLT0pmhVIpzufvUka78kPYAabu/C8unC
OMznX+p/EKoPBvYD709uyhb9GM9I5TrSjCF8EeYsFkNz6eZrLp4xCyfH2lj9lFLz
uYn+SEfdRh5GSPnzMV3MMZXUI7rGPhIZeIjviZDYSkFd8mltWYwcLf7kJih4shoV
Jxq4VSwUypFh4+T1Y7nvAV9wdD9oWjy7S1dZGs/zEyOrGksVbt4sFMK2WP1B9DiP
kGAruMZFaaaK31rHd6yVFzFioGjdAje4fwTcz457pMJwm6SUrRZdSkSl7o2rEDNP
6HHuXXkzSecZoYdLaeNhJhF48Pgo1gdyBoB1Q5ccWeyuNezK4kt1OlHMtoVoZ4Lz
P7V+duWJh0TBRy/d86y6HYCLW3w7+SSL76WFo92sRiXpmwPhy8/z7T7eLGdrmD9i
Xl4LW4Rqbzj/ebUjlSW2/sLmHUgPLW+nW46J0RdZZNlyGf7z91xMJJrw5A3Chc5V
kzg4Vdmhf3nxnz4OJs9Vnfotx48NGbPSubWKwo7GC1cC7WDrCu1TK7r8z+qeYuGY
7fibrNqk2m+EmX5qPoUrY6h+GVFwhx8zYFs6nEFY0AemgviKyCkiQF12Rn3WpyQt
zCrN69uGYV7IL8QP9bh4
=Le4K
-----END PGP SIGNATURE-----

Message #56 received at 702267-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 702267-close@bugs.debian.org

Subject: Bug#702267: fixed in stunnel4 3:4.29-1+squeeze1

Date: Fri, 03 May 2013 06:02:04 +0000

Source: stunnel4
Source-Version: 3:4.29-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
stunnel4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated stunnel4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Apr 2013 17:00:30 +0200
Source: stunnel4
Binary: stunnel4 stunnel
Architecture: source all amd64
Version: 3:4.29-1+squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 stunnel    - dummy upgrade package
 stunnel4   - Universal SSL tunnel for network daemons
Closes: 702267
Changes: 
 stunnel4 (3:4.29-1+squeeze1) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2013-1762.patch patch.
     CVE-2013-1762: Fix buffer overflow vulnerability due to incorrect
     integer conversion in the NTLM authentication of the CONNECT protocol
     negotiation. (Closes: #702267)
Checksums-Sha1: 
 0744d0f395850c69fc789e996ae5b9c0ac206b88 1882 stunnel4_4.29-1+squeeze1.dsc
 f93ac9054c62b1db0dcf44f668d323d82cc0f413 544292 stunnel4_4.29.orig.tar.gz
 f818c63d964796744ca1c9d90ab08d056c17b0ae 28688 stunnel4_4.29-1+squeeze1.diff.gz
 7eef6cdbd9f490725fd0773ad4b02767a144e57b 24258 stunnel_4.29-1+squeeze1_all.deb
 080c60927ddfc555b76c4725971afc5afc38d709 152420 stunnel4_4.29-1+squeeze1_amd64.deb
Checksums-Sha256: 
 f7736582f45f2a842a2e200d28a415b40688f92f605ff6252ae591dd9cdac152 1882 stunnel4_4.29-1+squeeze1.dsc
 018064e852a2a125bcfb4b81baa77b5701ccf6aabe6a47564bfc046b18d11f9b 544292 stunnel4_4.29.orig.tar.gz
 84810e651c24aa624ca7f1c53b468db3aeb3a129ad651be90b1ec4951a66fc09 28688 stunnel4_4.29-1+squeeze1.diff.gz
 149c4debca0447c2a8ab641d541d0762997069b18fd7fdf0208499b30f2b4a9e 24258 stunnel_4.29-1+squeeze1_all.deb
 4ee5224257e53c91f5427491923a6197215782b19ac7722a746518fbaf504f57 152420 stunnel4_4.29-1+squeeze1_amd64.deb
Files: 
 c2ebd448af547e99dd3fafb572a13a19 1882 net optional stunnel4_4.29-1+squeeze1.dsc
 14dc3f8412947f0548975cbce74d6863 544292 net optional stunnel4_4.29.orig.tar.gz
 4ab12e6da1b2087381ac86c51db54a48 28688 net optional stunnel4_4.29-1+squeeze1.diff.gz
 1ee80939f09a516a4e01e87d3dcdf643 24258 net extra stunnel_4.29-1+squeeze1_all.deb
 1d45df973acbfbc993b3942fdd7a5dbc 152420 net optional stunnel4_4.29-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRe+mGAAoJEHidbwV/2GP+2DkP/jvebEH8Dlr+lao7a/8gjKlO
uCsmxvG+A0jxr0h/D1l6s8SegTd/JjUhg2U2gcRua92/QPzVwsdDltRjBPDv7twL
fhyDPiVvhzg8CIGolwRS+gFkclhSEP8CQo1MxCL9dMPPyu5myVkcBszJpCSwdBy1
htmdNxVcq9JB6b7aeCwj6NfHPY0B/L+iXUamOOdrouIvoexp0mX26qE+F2mlLbTx
kyI4X4gq4RZtHCVZwabakm/cW7x+NahNS3NgnMrsvByjWChDVJQmUZJS0cVqOCTb
ZuXLRwP3zhZV43phtPb4gmA8tBq3OtVRNWYnJvqappH4YGnqxQe7ja6hq9q9Gne2
sACzJuM2uEDAwAa+AqsrynaoFS3Yf63UF8jCe+SUp+F0H/f/xTeuFyQ6HAjIycPA
oSqZpv/EBVa7ibbYHZz+HVGHf9tJejohhAUBHelFFF5bfXp8aDxTnfbC+cjQTdyo
uVOI3QgpXc2BENJ+Jofg9YZauUSHE9eegWa08CH45xyWDdXe10FnOUAkGKwHyTJ5
cUzWF1NgY2VP0OcOfd/fBQpFq5LBSJf1aIj7/oKhE1kdZfhFR1WjHcD3oAwET96d
GVBt+avVMvKGIn3AkQr/bWud6S73P+lKbopunr9MfDoHwkr5t+Bkhdtaqc5+cccv
782USdepQd3ps2BtfIxC
=hX00
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.