this address both
Socat security advisory 7 and MSVR-1499: "Bad DH p parameter in OpenSSL"
and Socat security advisory 8: "Stack overflow in arguments parser

[Yocto # 9024]

Signed-off-by: Armin Kuster <>
 .../socat/socat/CVE-2016-2217.patch                | 372 +++++++++++++++++++++
 meta/recipes-connectivity/socat/   |   1 +
 2 files changed, 373 insertions(+)
 create mode 100644 meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch

diff --git a/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch 
new file mode 100644
index 0000000..0cd4179
--- /dev/null
+++ b/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch
@@ -0,0 +1,372 @@
+Upstream-Status: Backport
+CVE: CVE-2016-2217
+[Yocto # 9024]
+Singed-off-by: Armin Kuster <>
+Index: socat-
+--- socat-
++++ socat-
+@@ -1,8 +1,39 @@
++####################### V
++      Socat security advisory 8
++      A stack overflow in vulnerability was found that can be triggered when
++      command line arguments (complete address specifications, host names,
++      file names) are longer than 512 bytes.
++      Successful exploitation might allow an attacker to execute arbitrary
++      code with the privileges of the socat process.
++      This vulnerability can only be exploited when an attacker is able to
++      inject data into socat's command line.
++      A vulnerable scenario would be a CGI script that reads data from clients
++      and uses (parts of) this data as hostname for a Socat invocation.
++      Test: NESTEDOVFL
++      Credits to Takumi Akiyama for finding and reporting this issue.
++      Socat security advisory 7
++      MSVR-1499
++      In the OpenSSL address implementation the hard coded 1024 bit DH p
++      parameter was not prime. The effective cryptographic strength of a key
++      exchange using these parameters was weaker than the one one could get by
++      using a prime p. Moreover, since there is no indication of how these
++      parameters were chosen, the existence of a trapdoor that makes possible
++      for an eavesdropper to recover the shared secret from a key exchange
++      that uses them cannot be ruled out.
++      Futhermore, 1024bit is not considered sufficiently secure.
++      Fix: generated a new 2048bit prime.
++      Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
++      Research (MSVR) for finding and reporting this issue.
+ ####################### V
+ security:
+-      (CVE Id pending)
++      Socat security advisory 6
++      CVE-2015-1379: Possible DoS with fork
+       Fixed problems with signal handling caused by use of not async signal
+       safe functions in signal handlers that could freeze socat, allowing
+       denial of service attacks.
+@@ -240,6 +271,7 @@ docu:
+ ####################### V
+ security:
++      Socat security advisory 5
+       CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
+       overflow with data from command line (see socat-secadv5.txt)
+       Credits to Florian Weimer of the Red Hat Product Security Team
+@@ -247,6 +279,7 @@ security:
+ ####################### V
+ security:
++      Socat security advisory 4
+       CVE-2013-3571:
+       after refusing a client connection due to bad source address or source
+       port socat shutdown() the socket but did not close() it, resulting in
+@@ -258,6 +291,7 @@ security:
+ ####################### V
+ security:
++      Socat security advisory 3
+       CVE-2012-0219:
+       fixed a possible heap buffer overflow in the readline address. This bug
+       could be exploited when all of the following conditions were met:
+@@ -391,6 +425,7 @@ docu:
+ ####################### V
+ security:
++      Socat security advisory 2
+       CVE-2010-2799:
+       fixed a stack overflow vulnerability that occurred when command
+       line arguments (whole addresses, host names, file names) were longer
+@@ -892,6 +927,7 @@ further corrections:
+ ####################### V
+ security:
++      Socat security advisory 1
+       CVE-2004-1484:
+       fix to a syslog() based format string vulnerability that can lead to
+       remote code execution. See advisory socat-adv-1.txt
+Index: socat-
+--- socat-
++++ socat-
+@@ -1 +1 @@
+Index: socat-
+--- socat-
++++ socat-
+@@ -1,5 +1,5 @@
+ /* source: nestlex.c */
+-/* Copyright Gerhard Rieger 2006-2010 */
++/* Copyright Gerhard Rieger */
+ /* Published under the GNU General Public License V.2, see file COPYING */
+ /* a function for lexical scanning of nested character patterns */
+@@ -9,6 +9,17 @@
+ #include "sysincludes.h"
++static int _nestlex(const char **addr,
++                  char **token,
++                  ptrdiff_t *len,
++                  const char *ends[],
++                  const char *hquotes[],
++                  const char *squotes[],
++                  const char *nests[],
++                  bool dropquotes,
++                  bool c_esc,
++                  bool html_esc
++                  );
+ /* sub: scan a string and copy its value to output string
+    end scanning when an unescaped, unnested string from ends array is found
+@@ -33,6 +44,22 @@ int nestlex(const char **addr,      /* input
+           bool c_esc,         /* solve C char escapes: \n \t \0 etc */
+           bool html_esc       /* solve HTML char escapes: %0d %08 etc */
+           ) {
++   return
++      _nestlex(addr, token, (ptrdiff_t *)len, ends, hquotes, squotes, nests,
++             dropquotes, c_esc, html_esc);
++static int _nestlex(const char **addr,
++                  char **token,
++                  ptrdiff_t *len,
++                  const char *ends[],
++                  const char *hquotes[],
++                  const char *squotes[],
++                  const char *nests[],
++                  bool dropquotes,
++                  bool c_esc,
++                  bool html_esc
++                  ) {
+    const char *in = *addr;    /* pointer into input string */
+    const char **endx; /* loops over end patterns */
+    const char **quotx;        /* loops over quote patterns */
+@@ -77,16 +104,18 @@ int nestlex(const char **addr,    /* input
+                 if (--*len <= 0) { *addr = in; *token = out; return -1; }
+              }
+           }
+-          /* we call nestlex recursively */
++          /* we call _nestlex recursively */
+           endnest[0] = *quotx;
+           endnest[1] = NULL;
+           result =
+-             nestlex(&in, &out, len, endnest, NULL/*hquotes*/,
++             _nestlex(&in, &out, len, endnest, NULL/*hquotes*/,
+                      NULL/*squotes*/, NULL/*nests*/,
+                      false, c_esc, html_esc);
+           if (result == 0 && dropquotes) {
+              /* we strip this quote */
+              in += strlen(*quotx);
++          } else if (result < 0) {
++             *addr = in; *token = out; return result;
+           } else {
+              /* we copy the trailing quote */
+              for (i = strlen(*quotx); i > 0; --i) {
+@@ -110,7 +139,7 @@ int nestlex(const char **addr,     /* input
+        if (!strncmp(in, *quotx, strlen(*quotx))) {
+           /* this quote pattern matches */
+           /* we strip this quote */
+-          /* we call nestlex recursively */
++          /* we call _nestlex recursively */
+           const char *endnest[2];
+           if (dropquotes) {
+              /* we strip this quote */
+@@ -124,13 +153,15 @@ int nestlex(const char **addr,   /* input
+           endnest[0] = *quotx;
+           endnest[1] = NULL;
+           result =
+-             nestlex(&in, &out, len, endnest, hquotes,
++             _nestlex(&in, &out, len, endnest, hquotes,
+                      squotes, nests,
+                      false, c_esc, html_esc);
+           if (result == 0 && dropquotes) {
+              /* we strip the trailing quote */
+              in += strlen(*quotx);
++          } else if (result < 0) {
++             *addr = in; *token = out; return result;
+           } else {
+              /* we copy the trailing quote */
+              for (i = strlen(*quotx); i > 0; --i) {
+@@ -162,7 +193,7 @@ int nestlex(const char **addr,     /* input
+           }
+           result =
+-             nestlex(&in, &out, len, endnest, hquotes, squotes, nests,
++             _nestlex(&in, &out, len, endnest, hquotes, squotes, nests,
+                      false, c_esc, html_esc);
+           if (result == 0) {
+              /* copy endnest */
+@@ -175,6 +206,8 @@ int nestlex(const char **addr,     /* input
+                 }
+                 --i;
+              }
++          } else if (result < 0) {
++             *addr = in; *token = out; return result;
+           }
+           break;
+        }
+@@ -211,7 +244,7 @@ int nestlex(const char **addr,     /* input
+        }
+        *out++ = c;
+        --*len;
+-       if (*len == 0) {
++       if (*len <= 0) {
+           *addr = in;
+           *token = out;
+           return -1;  /* output overflow */
+@@ -222,7 +255,7 @@ int nestlex(const char **addr,     /* input
+       /* just a simple char */
+       *out++ = c;
+       --*len;
+-      if (*len == 0) {
++      if (*len <= 0) {
+        *addr = in;
+        *token = out;
+        return -1;     /* output overflow */
+Index: socat-
+--- socat-
++++ socat-
+@@ -1,5 +1,5 @@
+ /* source: nestlex.h */
+-/* Copyright Gerhard Rieger 2006 */
++/* Copyright Gerhard Rieger */
+ /* Published under the GNU General Public License V.2, see file COPYING */
+ #ifndef __nestlex_h_included
+Index: socat-
+--- socat-
++++ socat-
+@@ -1,6 +1,6 @@
+ %define majorver 1.7
+-%define minorver 3.0
++%define minorver 3.1
+ Summary: socat - multipurpose relay
+ Name: socat
+Index: socat-
+--- socat-
++++ socat-
+@@ -2266,8 +2266,8 @@ gentestcert () {
+ gentestdsacert () {
+     local name="$1"
+     if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
+-    openssl dsaparam -out $name-dsa.pem 512 >/dev/null 2>&1
+-    openssl dhparam -dsaparam -out $name-dh.pem 512 >/dev/null 2>&1
++    openssl dsaparam -out $name-dsa.pem 1024 >/dev/null 2>&1
++    openssl dhparam -dsaparam -out $name-dh.pem 1024 >/dev/null 2>&1
+     openssl req -newkey dsa:$name-dsa.pem -keyout $name.key -nodes -x509 
-config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1
+     cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
+ }
+@@ -10973,6 +10973,42 @@ CMD0="$TRACE $SOCAT $opts OPENSSL:localh
+ printf "test $F_n $TEST... " $N
+ $CMD0 </dev/null 1>&0 2>"${te}0"
+ rc0=$?
++if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
++    $PRINTF "$OK\n"
++    numOK=$((numOK+1))
++    $PRINTF "$FAILED\n"
++    echo "$CMD0"
++    cat "${te}0"
++    numFAIL=$((numFAIL+1))
++    listFAIL="$listFAIL $N"
++fi # NUMCOND
++ ;;
++# socat up to had a stack overflow vulnerability that occurred when
++# command line arguments (whole addresses, host names, file names) were longer
++# than 512 bytes and specially crafted.
++case "$TESTS" in
++TEST="$NAME: stack overflow on overly long nested arg"
++# provide a long host name to TCP-CONNECT and check socats exit code
++if ! eval $NUMCOND; then :; else
++da="test$N $(date) $RANDOM"
++# prepare long data - perl might not be installed
++rm -f "$td/test$N.dat"
++i=0; while [ $i -lt 64 ]; do  echo -n "AAAAAAAAAAAAAAAA" >>"$td/test$N.dat"; 
i=$((i+1)); done
++CMD0="$TRACE $SOCAT $opts EXEC:[$(cat "$td/test$N.dat")] STDIO"
++printf "test $F_n $TEST... " $N
++$CMD0 </dev/null 1>&0 2>"${te}0"
+ if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
+     $PRINTF "$OK\n"
+     numOK=$((numOK+1))
+Index: socat-
+--- socat-
++++ socat-
+@@ -912,20 +912,27 @@ int
+    }
+    {
+-      static unsigned char dh1024_p[] = {
+-       0xCC,0x17,0xF2,0xDC,0x96,0xDF,0x59,0xA4,0x46,0xC5,0x3E,0x0E,
+-       0xB8,0x26,0x55,0x0C,0xE3,0x88,0xC1,0xCE,0xA7,0xBC,0xB3,0xBF,
+-       0x16,0x94,0xD8,0xA9,0x45,0xA2,0xCE,0xA9,0x5B,0x22,0x25,0x5F,
+-       0x92,0x59,0x94,0x1C,0x22,0xBF,0xCB,0xC8,0xC8,0x57,0xCB,0xBF,
+-       0xBC,0x0E,0xE8,0x40,0xF9,0x87,0x03,0xBF,0x60,0x9B,0x08,0xC6,
+-       0x8E,0x99,0xC6,0x05,0xFC,0x00,0xD6,0x6D,0x90,0xA8,0xF5,0xF8,
+-       0xD3,0x8D,0x43,0xC8,0x8F,0x7A,0xBD,0xBB,0x28,0xAC,0x04,0x69,
+-       0x4A,0x0B,0x86,0x73,0x37,0xF0,0x6D,0x4F,0x04,0xF6,0xF5,0xAF,
+-       0xBF,0xAB,0x8E,0xCE,0x75,0x53,0x4D,0x7F,0x7D,0x17,0x78,0x0E,
+-       0x12,0x46,0x4A,0xAF,0x95,0x99,0xEF,0xBC,0xA6,0xC5,0x41,0x77,
+-       0x43,0x7A,0xB9,0xEC,0x8E,0x07,0x3C,0x6D,
++      static unsigned char dh2048_p[] = {
++       0x73,0x63
+       };
+-      static unsigned char dh1024_g[] = {
++      static unsigned char dh2048_g[] = {
+        0x02,
+       };
+       DH *dh;
+@@ -938,8 +945,8 @@ int
+        }
+        Error("DH_new() failed");
+       } else {
+-       dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+-       dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
++       dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
++       dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+        if ((dh->p == NULL) || (dh->g == NULL)) {
+           while (err = ERR_get_error()) {
+              Warn1("BN_bin2bn(): %s",
diff --git a/meta/recipes-connectivity/socat/ 
index b58e0a7..6d76d0f 100644
--- a/meta/recipes-connectivity/socat/
+++ b/meta/recipes-connectivity/socat/
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "${PV}.tar.bz2 \
            file:// \
+           file://CVE-2016-2217.patch \
 SRC_URI[md5sum] = "b607edb65bc6c57f4a43f06247504274"

