oss-sec mailing list archives
Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names
From: Raphael Geissert <geissert () debian org>
Date: Thu, 18 Oct 2012 20:14:25 -0500
Hi Jan, everyone, [BCC'ing Malcolm Parsons, who sent me an email about the tmperr buffer overflow this morning. Not sure if he discovered it independently.] On Thursday 18 October 2012 08:50:37 Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, Attila Bogar reported a stack-based buffer overflow in the way MCrypt, a crypt() package and crypt(1) command replacement, used to encrypt / decrypt files with overly long names (longer than 128 bytes). A remote attacker could provide a specially-crafted file that, when processed by the mcrypt too, would lead to mcrypt executable crash [*]. A different vulnerability than CVE-2012-4409:
[...]
References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=867790 Patch proposed by Attila: [3] https://bugzilla.redhat.com/show_bug.cgi?id=867790#c0
Why 132? tmperr is declared as: char tmperr[128]; That would still allow some bytes to be overwritten. [...]
P.S.: I am not sure about relation of this issue to the issue Raphael Geissert reported previously: [4] http://www.openwall.com/lists/oss-security/2012/10/02/1 so CC-in him too, he to clarify if [2] == [4], or if they are yet different issues. Raphael, please clarify.
They are different issues. The closest is CVE-2012-4426[5]. I didn't look much into those other buffers as they would require an attacker to control the arguments passed to mcrypt(1) to exploit them. Kurt, regarding the issues in [4], I don't know what other reference you want me to add. There's nothing more than what's on the thread. [5]http://www.openwall.com/lists/oss-security/2012/09/13/22 Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Jan Lieskovsky (Oct 18)
- Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Kurt Seifried (Oct 18)
- Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Steven M. Christey (Nov 19)
- Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Jan Lieskovsky (Nov 20)
- Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Matthias Weckbecker (Nov 22)
- Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Attila Bogár (Nov 22)
- Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Steven M. Christey (Nov 19)
- Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Kurt Seifried (Oct 18)