Date: Mon, 31 Aug 2009 18:50:50 +0200 From: Nico Golde <oss-security+ml@...lde.de> To: oss-security@...ts.openwall.com Subject: CVE id request: silc-toolkit Hi, silc-toolkit upstream fixed  various security issues which from my assessment allow an attacker arbitrary code execution. I'd like to get some CVE ids for these. | ASN1: Fix stack variable overwrite when encoding OID. | | The call to sscanf specifies a format string of "%lu", a long unsigned | int. The pointer argument was cast to unsigned long *, but this is | wrong for 64 bit systems. On 64 bit systems, unsigned long is 64 bits, | but the oid value is a SilcUInt32 on all systems. As a result, sscanf | will overwrite a neighboring variable on the stack. Fix this by | changing the format string to "%u" and removing the cast. | Fixed string format vulnerability in client entry handling. | | Reported and patch provided by William Cummings. This one allows an attacker to execute arbitrary code, tested. | More string format fixes in silcd and client libary From what I see this is only a problem if full_channel_names settings is used in SilcClientParams and can't be triggered by an attacker but only by the victim, maybe I miss something, I'm not that familar with the silc protocol. | HTTP: fix stack overwrite due to format string error. | | On AMD64, %lu refers to a 64-bit unsigned value, but the address passed | to sscanf points to a 32-bit unsigned value. This causes an adjoining | value on the stack to be overwritten with data from the converted | integer. Fix the format string to match the size of the supplied value, | and remove the pointer cast. This is only a problem if the internal http server e.g. for checking stats is enabled. Can I get CVE ids for the above issues? The upstream patch is attached. Cheers Nico  http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.10 -- Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. View attachment "silc.patch" of type "text/x-diff" (6255 bytes) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ