Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Aug 2009 18:50:50 +0200
From: Nico Golde <>
Subject: CVE id request: silc-toolkit

silc-toolkit upstream fixed [0] various security issues which 
from my assessment allow an attacker arbitrary code 
execution. I'd like to get some CVE ids for these.

|    ASN1: Fix stack variable overwrite when encoding OID.
|    The call to sscanf specifies a format string of "%lu", a long unsigned
|    int.  The pointer argument was cast to unsigned long *, but this is
|    wrong for 64 bit systems.  On 64 bit systems, unsigned long is 64 bits,
|    but the oid value is a SilcUInt32 on all systems.  As a result, sscanf
|    will overwrite a neighboring variable on the stack.  Fix this by
|    changing the format string to "%u" and removing the cast.

|    Fixed string format vulnerability in client entry handling.
|    Reported and patch provided by William Cummings.

This one allows an attacker to execute arbitrary code, tested.

|     More string format fixes in silcd and client libary

From what I see this is only a problem if full_channel_names settings is used in
SilcClientParams and can't be triggered by an attacker but only by the victim,
maybe I miss something, I'm not that familar with the silc protocol.

|    HTTP: fix stack overwrite due to format string error.
|    On AMD64, %lu refers to a 64-bit unsigned value, but the address passed
|    to sscanf points to a 32-bit unsigned value.  This causes an adjoining
|    value on the stack to be overwritten with data from the converted
|    integer.  Fix the format string to match the size of the supplied value,
|    and remove the pointer cast.

This is only a problem if the internal http server e.g. for checking stats
is enabled.

Can I get CVE ids for the above issues?
The upstream patch is attached.



Nico Golde - - - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

View attachment "silc.patch" of type "text/x-diff" (6255 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ