oss-sec mailing list archives
Crypto++ and invalid read in decompressor class
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 5 Jun 2017 21:32:11 -0400
Hi Everyone, Crypto++'s (https://www.cryptopp.com/) is a free and open source library of cryptographic schemes originally written by Wei Dai. Smart fuzzing revealed Crypto++'s Zinflate class, used by classes like Gunzip and Inflator, could perform an out-of-bounds read when decompressing data. The out-of-bounds read occurs on a table with 30 elements. The table is static and its storage is allocated in initialized memory. The attacker can craft a ZIP file that allows a read of the last two non-existent elements. We believe an attacker can only read 0-bytes due to the storage allocation. We were not able to escalate it to a write. We believe its a low risk finding. We were not able to induce failures in other classes using the techniques. Other classes include those that are related, like compressors; and those which are unrelated, like public and private keys. The issue is being tracked by the library at https://github.com/weidai11/cryptopp/issues/414. The Gentoo folks assigned CVE-2017-9434 to track the issue. The fix is available in Master. It is also available for several versions of the library at https://github.com/weidai11/cryptopp/issues/414#issuecomment-300671740 . Jeff
Current thread:
- Crypto++ and invalid read in decompressor class Jeffrey Walton (Jun 06)