Re: CVE request - mcrypt buffer overflow flaw

[Raphael Geissert <geissert () debian org>]

On Thursday 06 September 2012 15:44:54 Vincent Danen wrote:
> * [2012-09-06 15:11:27 -0500] Raphael Geissert wrote:
> > I'm attaching a patch that makes mcrypt abort when the salt is longer
> > than the temp buffer it uses.

I should have probably mentioned this before for those reviewing the patch 
(or better, added a comment to the patch):
Even though the patch checks for salt_size > sizeof(tmp_buf) which is 101, 
and later the memmove copies to decrypt_general() (src/classic.c)'s 
local_salt, which is 100-long, the salt_size can't be an odd number (it is 
decreased by one to make it even-numbered). So, there can't be a one-byte 
overflow.

> > I'm attaching another patch that prevents the format string attacks.
>
> Fantastic, thanks for this.  I suppose the format string issues may
> require another CVE name?  I'm not sure if they're exploitable or not
> (no chance right now to look at it further).

I didn't spend much time on them, but none seemed to be exploitable.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net