• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Stunnel Local Arbitrary Command Execution Vulnerability

Solution:
The stunnel program author, Michal Trojnara, has released a vixed version (3.9), which is available from:
http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz

stunnel may also be hotfixed.

see log.c, ~line 67:

- syslog(level, text);
+ syslog(level, "%s", text);


Stunnel Stunnel 3.3

• Michal Trojnara stunnel-3.9
  http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz

Stunnel Stunnel 3.4 a

• Michal Trojnara stunnel-3.9
  http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz

Stunnel Stunnel 3.7

• Debian 2.2 alpha stunnel_3.10-0potato1_alpha.deb
  http://security.debian.org/dists/stable/updates/main/binary-alpha/stun nel_3.10-0potato1_alpha.deb


• Debian 2.2 i386 stunnel_3.10-0potato1_i386.deb
  http://security.debian.org/dists/stable/updates/main/binary-i386/stunn el_3.10-0potato1_i386.deb


• Debian 2.2 m68k stunnel_3.10-0potato1_m68k.deb
  http://security.debian.org/dists/stable/updates/main/binary-m68k/stunn el_3.10-0potato1_m68k.deb


• Debian 2.2 sparc stunnel_3.10-0potato1_sparc.deb
  http://security.debian.org/dists/stable/updates/main/binary-sparc/stun nel_3.10-0potato1_sparc.deb


• Michal Trojnara stunnel-3.9
  http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz

Stunnel Stunnel 3.8

• Conectiva 4.0 i386 stunnel-3.10-1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/4.0/i386/stunnel-3.10-1cl.i386.rpm


• Conectiva 4.0es i386 stunnel-3.10-1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/4.0es/i386/stunnel-3.10-1cl.i386.r pm


• Conectiva 4.1 i386 stunnel-3.10-1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/4.1/i386/stunnel-3.10-1cl.i386.rpm


• Conectiva 4.2 i386 stunnel-3.10-1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/4.2/i386/stunnel-3.10-1cl.i386.rpm


• Conectiva 5.0 i386 stunnel-3.10-1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/5.0/i386/stunnel-3.10-1cl.i386.rpm


• Conectiva 5.1 i386 stunnel-3.10-1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/5.1/i386/stunnel-3.10-1cl.i386.rpm


• Conectiva 6.0 i386 stunnel-3.10-1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/6.0/RPMS/stunnel-3.10-1cl.i386.rpm


• EnGarde Secure Linux 1.0.1 i386 stunnel-3.22-1.0.4.i386.rpm
  ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i386/stunnel-3.2 2-1.0.4.i386.rpm


• EnGarde Secure Linux 1.0.1 i686 stunnel-3.22-1.0.4.i686.rpm
  ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i686/stunnel-3.2 2-1.0.4.i686.rpm


• Michal Trojnara stunnel-3.9
  http://www.stunnel.org/download/stunnel/src/stunnel-3.9.tar.gz