Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Complete list of Stunnel vulnerabilities

From: Brian Hatch <bri () STUNNEL ORG>
Date: Mon, 18 Dec 2000 21:47:29 -0800



We have recently discovered a format bug in stunnel<= 3.8 in which the
log() function calls directly the syslog() with only two parameters:
syslog(level, text). It should be syslog(level, "%s", text).



This was fixed in stunnel version 3.9.  I was actually writing up an
advisory to cover all the thing that were fixed since 3.8, but since
you brought it up here they are in a terribly uninteresting format:


1) stunnel-3.8 and previous did not properly seed the PRNG.
        This could lead to weak encryption on machines that
        lack /dev/urandom (such as Solaris, Windows, etc.
        BSD's, and Linux for example were not affected.)

2) stunnel-3.8 and previous had insecure pid file creation,
        and was thus vulnerable to symlink games.  (Ability
        to overwrite any file on the system.  Since stunnel
        is usually used to bind low ports, stunnel was usually
        run as root, and this was potentially very damaging.)

3) stunnel-3.8p4 and previous were affected by the afformeantioned
        format string bug.  (And shame on me for not catching it during
        my audit.)

4) stunnel-3.8p4 and previous was not entirely thread-safe.
        (Only informational counters were affected by this,
        nothing security or functional related.)


Everyone should upgrade to stunnel version 3.9 or later immediately.


Stunnel-3.9 was released December 13th, 2000.  It is Available at
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz

Stunnel-3.10 is slated for release soon.  It is a functional
release, and does not contain any additional security
related changes.


To report a bug in stunnel, please email the maintainer,
Michal Trojnara <Michal.Trojnara () mirt net>, and the stunnel
FAQ maintainer, Brian Hatch <bri () stunnel org>.





--
Brian Hatch                Madness takes it's
   Systems and              toll.  Please have
   Security Engineer        exact change ready.
http://www.onsight.com/

Every message PGP signed

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: