Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names

[Raphael Geissert <geissert () debian org>]

Hi Jan, everyone,

[BCC'ing Malcolm Parsons, who sent me an email about the tmperr buffer 
overflow this morning. Not sure if he discovered it independently.]

On Thursday 18 October 2012 08:50:37 Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
>   Attila Bogar reported a stack-based buffer overflow
> in the way MCrypt, a crypt() package and crypt(1) command
> replacement, used to encrypt / decrypt files with overly
> long names (longer than 128 bytes). A remote attacker
> could provide a specially-crafted file that, when processed
> by the mcrypt too, would lead to mcrypt executable crash [*].
>
> A different vulnerability than CVE-2012-4409:
[...]
> References:
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=867790
>
> Patch proposed by Attila:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=867790#c0

Why 132? tmperr is declared as:
char tmperr[128];

That would still allow some bytes to be overwritten.

[...]
> P.S.: I am not sure about relation of this issue to the issue
>       Raphael Geissert reported previously:
>       [4] http://www.openwall.com/lists/oss-security/2012/10/02/1
>
>       so CC-in him too, he to clarify if [2] == [4], or if
>       they are yet different issues. Raphael, please clarify.

They are different issues. The closest is CVE-2012-4426[5].

I didn't look much into those other buffers as they would require an attacker 
to control the arguments passed to mcrypt(1) to exploit them.

Kurt, regarding the issues in [4], I don't know what other reference you 
want me to add. There's nothing more than what's on the thread.

[5]http://www.openwall.com/lists/oss-security/2012/09/13/22

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net