Version 1.8.0.2 - CVE-2024-54661: Arbitrary file overwrite in readline.sh
diff --git a/CHANGES b/CHANGES
index 7a34381..3b654aa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,21 @@
+####################### V 1.8.0.2:
+
+Security:
+ Socat security advisory 9
+ CVE-2024-54661: Arbitrary file overwrite
+ Socat 1.6.0.0 through 1.8.0.1 and version 2 distributions contain a
+ wrapper script "readline.sh" that uses a predictable temporary
+ directory, allowing unprivileged users to overwrite arbitrary files
+ belonging to the scripts caller.
+ This is fixed in Version 1.8.0.2
+ Mitigating factors: readline.sh is usually neither installed in a bin
+ directory nor is it documented. Major Linux distributions install it in
+ examples/ or doc/; however it is invoked by test.sh script.
+ Thanks to Wolfgang Frisch from SuSE for finding and reporting this
+ issue.
+ Test: READLINE_SH_OVERWRITE
+
####################### V 1.8.0.1:
Corrections:
diff --git a/README b/README
index 2bbdca6..c48c095 100644
--- a/README
+++ b/README
@@ -63,7 +63,7 @@
Get the tarball and extract it:
tar xzf socat.tar.gz
- cd socat-1.8.0.1
+ cd socat-1.8.0.2
./configure
make
su
diff --git a/VERSION b/VERSION
index c897421..2b16796 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-"1.8.0.1"
+"1.8.0.2"
diff --git a/readline.sh b/readline.sh
index b6f8438..1045303 100755
--- a/readline.sh
+++ b/readline.sh
@@ -22,9 +22,15 @@
else
HISTOPT=
fi
-mkdir -p /tmp/$USER || exit 1
#
#
-exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2
+if test -w .; then
+ STDERR=./socat-readline.${1##*/}.log
+ rm -f $STDERR
+else
+ STDERR=/dev/null
+fi
+
+exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR
diff --git a/socat.spec b/socat.spec
index 654f28f..3d2b7a1 100644
--- a/socat.spec
+++ b/socat.spec
@@ -1,6 +1,6 @@
%define majorver 1.8
-%define minorver 0.0
+%define minorver 0.2
Summary: socat - multipurpose relay
Name: socat
diff --git a/test.sh b/test.sh
index 46bebf8..5204ac7 100755
--- a/test.sh
+++ b/test.sh
@@ -20349,6 +20349,69 @@
"
+# Test the readline.sh file overwrite vulnerability
+NAME=READLINE_SH_OVERWRITE
+case "$TESTS" in
+*%$N%*|*%functions%*|*%bugs%*|*%readline%*|*%security%*|*%$NAME%*)
+TEST="$NAME: Test the readline.sh file overwrite vulnerability"
+# Create a symlink /tmp/$USER/stderr2 pointing to a temporary file,
+# run readline.sh
+# When the temporary file is kept the test succeeded
+if ! eval $NUMCOND; then :
+elif ! cond=$(checkconds \
+ "" \
+ "" \
+ "readline.sh" \
+ "" \
+ "" \
+ "" \
+ "" ); then
+ $PRINTF "test $F_n $TEST... ${YELLOW}$cond${NORMAL}\n" $N
+ numCANT=$((numCANT+1))
+ listCANT="$listCANT $N"
+ namesCANT="$namesCANT $NAME"
+else
+ tf="$td/test$N.file"
+ te="$td/test$N.stderr"
+ tdiff="$td/test$N.diff"
+ da="test$N $(date) $RANDOM"
+ echo "$da" >"$tf"
+ ln -sf "$tf" /tmp/$USER/stderr2
+ CMD0="readline.sh cat"
+ printf "test $F_n $TEST... " $N
+ $CMD0 </dev/null >/dev/null 2>"${te}0"
+ rc0=$?
+# if [ "$rc0" -ne 0 ]; then
+# $PRINTF "$CANT (rc0=$rc0)\n"
+# echo "$CMD0"
+# cat "${te}0" >&2
+# numCANT=$((numCANT+1))
+# listCANT="$listCANT $N"
+# namesCANT="$namesCANT $NAME"
+# elif ! echo "$da" |diff - "$tf" >$tdiff; then
+ if ! echo "$da" |diff - "$tf" >$tdiff; then
+ $PRINTF "$FAILED (diff)\n"
+ echo "$CMD0 &"
+ cat "${te}0" >&2
+ echo "// diff:" >&2
+ cat "$tdiff" >&2
+ numFAIL=$((numFAIL+1))
+ listFAIL="$listFAIL $N"
+ namesFAIL="$namesFAIL $NAME"
+ else
+ $PRINTF "$OK\n"
+ if [ "$VERBOSE" ]; then echo "$CMD0 &"; fi
+ if [ "$DEBUG" ]; then cat "${te}0" >&2; fi
+ if [ "$VERBOSE" ]; then echo "$CMD1"; fi
+ if [ "$DEBUG" ]; then cat "${te}1" >&2; fi
+ numOK=$((numOK+1))
+ listOK="$listOK $N"
+ fi
+fi # NUMCOND
+ ;;
+esac
+N=$((N+1))
+
# end of common tests
##################################################################################
