oss-sec mailing list archives
Re: CVE request - mcrypt buffer overflow flaw
From: Raphael Geissert <geissert () debian org>
Date: Mon, 10 Sep 2012 13:59:25 -0500
On Thursday 06 September 2012 15:44:54 Vincent Danen wrote:
* [2012-09-06 15:11:27 -0500] Raphael Geissert wrote:I'm attaching a patch that makes mcrypt abort when the salt is longer than the temp buffer it uses.
I should have probably mentioned this before for those reviewing the patch (or better, added a comment to the patch): Even though the patch checks for salt_size > sizeof(tmp_buf) which is 101, and later the memmove copies to decrypt_general() (src/classic.c)'s local_salt, which is 100-long, the salt_size can't be an odd number (it is decreased by one to make it even-numbered). So, there can't be a one-byte overflow.
I'm attaching another patch that prevents the format string attacks.Fantastic, thanks for this. I suppose the format string issues may require another CVE name? I'm not sure if they're exploitable or not (no chance right now to look at it further).
I didn't spend much time on them, but none seemed to be exploitable. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 10)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Eygene Ryabinkin (Sep 11)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 12)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 12)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 15)