oss-sec mailing list archives
Re: CVE request - mcrypt buffer overflow flaw
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Sep 2012 14:48:00 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2012 02:11 PM, Raphael Geissert wrote:
Hi, On Thursday 06 September 2012 09:37:14 Vincent Danen wrote:A buffer overflow was reported [1],[2] in mcrypt version 2.6.8 and earlier due to a boundary error in the processing of an encrypted file (via the check_file_head() function in src/extra.c). If a user were tricked into attempting to decrypt a specially-crafted .nc encrypted flie, this flaw would cause a stack-based buffer overflow that could potentially lead to arbitrary code execution.I'm attaching a patch that makes mcrypt abort when the salt is longer than the temp buffer it uses. While working on it, I noticed the err_ functions do not have a constant printf format, yet there are calls such as: sprintf(tmperr, _("Input File: %s\n"), infile); err_info(tmperr); [print_enc_info in src/extra.c] And a few others in src/mcrypt.c; for instance: $ mcrypt --no-openpgp "%s.nc" mcrypt: h���Fn�`.nc is not a regular file. Skipping... I'm attaching another patch that prevents the format string attacks. Cheers,
Please use CVE-2012-4426 for these format string issues. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQUkZ/AAoJEBYNRVNeJnmTP9YP/11qqwwMjEnej8e4hRYFcqtB 8w/nqDoOGDwyxMLRYW7K3OjS5oBxNUOSsLcuNjpeNOJ+9EKNXpSfCR66Q8pJ0DHT mCbkPWQFaRMXkFLJCtXA1c5vEGdC2bG6EACflxmKmnwUlT/zJzXDa1q1DD3re4hI HYy+dkFwVOvpyNoQhRLAi6KpRDzkTK6ohf7dMQmZ+1v2DKEtVja+fycWqJm09zRm Zoen4lZTeiZZT1nV8CQJrHjIuEeVnULyYZpVDUvzrWA4yttFalz+hsGUPSxwvGFp 5iwm42i+Q20bLmij44c5i09kRuo6Cx1BhlfTwRLk3dMN7cDZGUd7jHuzaL/VlndI /ybY+3pNQZlvATn0y/fI53yaJhYypgnM+CUF+l4LaLGgneGj/hYamBGfEvcG9rJw vyI9c2Wxr07byFQXV9Z3Y73u+q4gePfXsjw2cMt59xlkugEvQMcviEdQMPp/RUMt KGHrbV2p4okxP35qo7zF7ztXG5/vW8bvIemwiYfaBnXBFArPCYgtYzpc4tlb/0Nj 4ZtCQ8n63k62+PJpdTvXbMMtMXBTK04lJd8o1U7wtZpphJQbKl4A0bPYc6vWVarj fr6A8mp1bDI+hT1LH/nUjFmpudHafy5g3/9tiE+BG8Ozs1RUz3B4b6GzbuVjuTQq c5iHRTdGSQL2i6EBVuPW =G+yt -----END PGP SIGNATURE-----
Current thread:
- CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 10)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Eygene Ryabinkin (Sep 11)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 12)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 12)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 15)