COMMAND

    stunnel

SYSTEMS AFFECTED

    stunnel<= 3.8

PROBLEM

    Following is  based on  a Macaroon  Advisory.   They have recently
    discovered  a  format  bug  in  stunnel<=  3.8  in which the log()
    function calls  directly the  syslog() with  only two  parameters:
    syslog(level, text).  It should be syslog(level, "%s", text).

    If a user can pass any string that is written to the log file,  he
    can   exploit   this   vulnerablilty   with   carefully  formatted
    formatstrings (with %n in it).

    When debugging is turned on (-d 7) the username that is looked  up
    via  ident  is  written  to  the  log  file.  So if the client can
    manipulate  it's  ident  username,  he  can  own  the host running
    stunnel.   Another case,  when stunnel's  native smtp  support and
    debugging is  turned on,  it's exploitable,  too.   Of course it's
    not a complete list of exploit methods.  There may be many more.

    Here are few more bugs:
    - stunnel-3.8 and previous did  not properly seed the PRNG.   This
      could lead to weak encryption on machines that lack /dev/urandom
      (such as Solaris,  Windows, etc.   BSD's, and Linux  for example
      were not affected.)
    - stunnel-3.8  and previous  had insecure  pid file  creation, and
      was thus  vulnerable to  symlink games.   (Ability to  overwrite
      any file on the system.   Since stunnel is usually used to  bind
      low  ports,  stunnel  was  usually  run  as  root,  and this was
      potentially very damaging.)
    - stunnel-3.8p4 and previous were affected by the afformeantioned
      format string bug.
    - stunnel-3.8p4 and previous was not entirely thread-safe.   (Only
      informational counters were  affected by this,  nothing security
      or functional related.)

SOLUTION

    The fix from the stunnel author (Michal Trojnara) is out, you  can
    download the latest stable version from

        http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz

    or you can hotfix the bug in log.c (about line 67):

        -        syslog(level, text);
        +        syslog(level, "%s", text);

    All versions of Trustix Secure Linux are vulnerable provided  that
    the server  is actually  configured to  use stunnel.   This  means
    that  a  default  install  of  the  system will technically not be
    vulnerable, but TL suggests that our users follow security updates
    regardless of what is actually run today.

        ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/stunnel-3.8p4-2tr.i586.rpm
        http://www.trustix.net/pub/Trustix/updates/1.1/RPMS/stunnel-3.8p4-2tr.i586.rpm

    Users of  v1.0x should  as usual  use the  update built  for v1.1.
    For version  1.2, the  distribution tree  and the  iso images have
    been  updated  on  our  sites,  and  will  be available on mirrors
    shortly.  The build date of the iso images is 20001219.

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/stunnel-3.10-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/stunnel-3.10-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/stunnel-3.10-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/stunnel-3.10-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/stunnel-3.10-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/stunnel-3.10-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/stunnel-3.10-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/stunnel-3.10-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/stunnel-3.10-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/stunnel-3.10-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/stunnel-3.10-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/stunnel-3.10-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/stunnel-3.10-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/stunnel-3.10-1cl.i386.rpm

    For RedHat:

        ftp://updates.redhat.com//7.0/SRPMS/stunnel-3.10-2.src.rpm
        ftp://updates.redhat.com//7.0/alpha/stunnel-3.10-2.alpha.rpm
        ftp://updates.redhat.com//7.0/i386/stunnel-3.10-2.i386.rpm

    For Debian:

        http://security.debian.org/dists/stable/updates/main/source/stunnel_3.10-0potato1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/stunnel_3.10-0potato1.dsc
        http://security.debian.org/dists/stable/updates/main/source/stunnel_3.10.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-alpha/stunnel_3.10-0potato1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/stunnel_3.10-0potato1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/stunnel_3.10-0potato1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/stunnel_3.10-0potato1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/stunnel_3.10-0potato1_sparc.deb

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/stunnel-3.10.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/stunnel-3.10.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/security/stunnel-3.10.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/stunnel-3.10.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/security/stunnel-3.10.tgz