oss-sec mailing list archives
Re: CVE request - mcrypt buffer overflow flaw
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 02 Oct 2012 13:20:20 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/02/2012 12:42 PM, Raphael Geissert wrote:
Kurt, I think at least one more CVE id needs to be assigned: On Saturday 15 September 2012 19:22:06 Raphael Geissert wrote:On Tuesday 11 September 2012 10:19:38 Eygene Ryabinkin wrote:
Another week, another couple of patches. One makes it use strncpy and forces a NUL on the last byte of local_algorithm, local_mode, and local_keymode. Their values are checked later on, so it seems safe to pass unvalidated data. The size of the buffers is hard-coded to avoid making many changes to the code.I think this needs a separate id, since fixes were released by Fedora and Debian referencing CVE-2012-4409 but only for the original report. Eygene's followup issues have been fixed in Debian without referencing a CVE id.
Can you post a link to source fixes/commits? Thanks.
Once those issues were fixed I noticed that salt_size is not initialized if the salt flag is not set. The result is an inconditional call to malloc, with an uninitialized int as argument. This can lead to a non-attacker-controlled memory consumption DoS in most cases. It makes me think nobody actually ever used it without a salt.I've no strong opinion on whether this deserves an id. Cheers,
Hrmm there's a thought, has this DoS been confirmed? As we've probably seen over the last year more than a few sites fail to salt their stored passwords =(. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQaz50AAoJEBYNRVNeJnmTSK4P/26UQ0ORk9a3iUwsegwosivb S/hvJQ+nH8oXHrT4TX6sjwg0QacNHGVDcgMRf2iQVTSrDseJsFVz1EC+hQHR0A53 o3svXEb/11l+tpOxvXRaV2Tr5eU0BSwB+nDLiZgWry+IYLp17pyqdicNsLfwST6n RZhWdI/cMFk7Oxm6FyM0fSoXWS95ixSCJrnRh60+PrZeKKe6K+Hw78+nMO9dUcjI GQHrMMiNGY0CDwDrokQeYT6Asf96nXBurNjt/gd18u9QXp6NZ7hWLsfF/f8ISFC9 0firEfZYbBcuV7KSacPyk+kqgT+VsSXZPbCqeC78o8avHBN/pa7zjXmnJjBOH5ps FD88YNv5hdk6NjCrK5PbfRqi79ltM1JzI6mDxXb7jmJ6OFbvdCcMqKoSMNQkkYRA FaR0f3BOU2I/1JsYKcCUITLRjUAcvw1LQX6v9MWtEb3iN/jfGRYdXEa0hV75tgpq qljttSu3i5F/x80/TrOfvtQ+unuESUulkeXExdMfOULnf9SBgxY7aZpbT9TCfBlI qBY4xBZTtxh2lYwLTiCof0lCtu779uqKeszVi6LiF9SXv/4cm8srvU4K74CDIcjv KLCP4ba+a/VihVBf2EUP2myRN7ayPXYwII6CtqYu4smhJc00UQFMtbFNghXx+3Sg vU//7x41AXD3ET5hrRfL =fa7h -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Oct 02)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Oct 02)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Oct 02)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Oct 02)