oss-sec mailing list archives

CVE id request: silc-toolkit

From: Nico Golde <oss-security+ml () ngolde de>
Date: Mon, 31 Aug 2009 18:50:50 +0200

Hi,
silc-toolkit upstream fixed [0] various security issues which 
from my assessment allow an attacker arbitrary code 
execution. I'd like to get some CVE ids for these.

|    ASN1: Fix stack variable overwrite when encoding OID.
|
|    The call to sscanf specifies a format string of "%lu", a long unsigned
|    int.  The pointer argument was cast to unsigned long *, but this is
|    wrong for 64 bit systems.  On 64 bit systems, unsigned long is 64 bits,
|    but the oid value is a SilcUInt32 on all systems.  As a result, sscanf
|    will overwrite a neighboring variable on the stack.  Fix this by
|    changing the format string to "%u" and removing the cast.

|    Fixed string format vulnerability in client entry handling.
|
|    Reported and patch provided by William Cummings.

This one allows an attacker to execute arbitrary code, tested.

|     More string format fixes in silcd and client libary

From what I see this is only a problem if full_channel_names settings is used in
SilcClientParams and can't be triggered by an attacker but only by the victim,
maybe I miss something, I'm not that familar with the silc protocol.

|    HTTP: fix stack overwrite due to format string error.
|    
|    On AMD64, %lu refers to a 64-bit unsigned value, but the address passed
|    to sscanf points to a 32-bit unsigned value.  This causes an adjoining
|    value on the stack to be overwritten with data from the converted
|    integer.  Fix the format string to match the size of the supplied value,
|    and remove the pointer cast.

This is only a problem if the internal http server e.g. for checking stats
is enabled.

Can I get CVE ids for the above issues?
The upstream patch is attached.

Cheers
Nico

[0] http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.10


-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: silc.patch
Description:

Attachment: _bin
Description:

Current thread:

CVE id request: silc-toolkit Nico Golde (Aug 31)
- Message not available
  - Re: CVE id request: silc-toolkit Tomas Hoger (Sep 11)
    - Re: CVE id request: silc-toolkit Steven M. Christey (Sep 11)
    - Re: CVE id request: silc-toolkit Tomas Hoger (Sep 11)