dest-unreach / socat / contrib / security advisory 9

Socat security advisory 9 - readline.sh: arbitrary file overwrite via predictable /tmp directory

Overview

Socat source packages contain a wrapper script readline.sh that uses a predictable temporary directory, allowing unprivileged users to overwrite arbitrary files belonging to the scripts caller.

readline.sh is usually neither installed in a bin directory nor is it documented. Major Linux distributions install it in examples/ or doc/; however it is invoked by test.sh script.

Vulnerability Ids

Socat security issue 9

CVE-2024-54661

Severity: Low

Affected versions

1.6.0.0 - 1.8.0.1

2.0.0-b1 - 2.0.0-b9

Not affected or corrected versions

1.8.0.2

Workaround

Create /tmp/$USER with user $USER and mode 0755 or tighter before running readline.sh or test.sh

Download

The updated sources can be downloaded from:

Patch to 1.8.0.1:

http://www.dest-unreach.org/socat/download/socat-1.8.0.2.patch

Credits

Credits to Wolfgang Frisch from SUSE for finding and reporting this issue.