Re: CVE request - mcrypt buffer overflow flaw

[Raphael Geissert <geissert () debian org>]

Hi,

On Thursday 06 September 2012 09:37:14 Vincent Danen wrote:
> A buffer overflow was reported [1],[2] in mcrypt version 2.6.8 and
> earlier due to a boundary error in the processing of an encrypted file
> (via the check_file_head() function in src/extra.c).  If a user were
> tricked into attempting to decrypt a specially-crafted .nc encrypted
> flie, this flaw would cause a stack-based buffer overflow that could
> potentially lead to arbitrary code execution.

I'm attaching a patch that makes mcrypt abort when the salt is longer than 
the temp buffer it uses.

While working on it, I noticed the err_ functions do not have a constant 
printf format, yet there are calls such as:
      sprintf(tmperr, _("Input File: %s\n"), infile);
      err_info(tmperr);
[print_enc_info in src/extra.c]

And a few others in src/mcrypt.c; for instance:
$ mcrypt --no-openpgp "%s.nc" 
mcrypt: h���Fn�`.nc is not a regular file. Skipping...

I'm attaching another patch that prevents the format string attacks.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Attachment: mcrypt-format-strings.patch
Description:

Attachment: CVE-2012-4409.patch
Description: