Re: CVE request - mcrypt buffer overflow flaw

[Vincent Danen <vdanen () redhat com>]

* [2012-09-06 15:11:27 -0500] Raphael Geissert wrote:

> On Thursday 06 September 2012 09:37:14 Vincent Danen wrote:
> > A buffer overflow was reported [1],[2] in mcrypt version 2.6.8 and
> > earlier due to a boundary error in the processing of an encrypted file
> > (via the check_file_head() function in src/extra.c).  If a user were
> > tricked into attempting to decrypt a specially-crafted .nc encrypted
> > flie, this flaw would cause a stack-based buffer overflow that could
> > potentially lead to arbitrary code execution.
>
> I'm attaching a patch that makes mcrypt abort when the salt is longer than
> the temp buffer it uses.
>
> While working on it, I noticed the err_ functions do not have a constant
> printf format, yet there are calls such as:
>      sprintf(tmperr, _("Input File: %s\n"), infile);
>      err_info(tmperr);
> [print_enc_info in src/extra.c]
>
> And a few others in src/mcrypt.c; for instance:
> $ mcrypt --no-openpgp "%s.nc"
> mcrypt: h?????????Fn???`.nc is not a regular file. Skipping...
>
> I'm attaching another patch that prevents the format string attacks.

Fantastic, thanks for this.  I suppose the format string issues may
require another CVE name?  I'm not sure if they're exploitable or not
(no chance right now to look at it further).

--
Vincent Danen / Red Hat Security Response Team