Date: Thu, 6 Sep 2012 15:11:27 -0500 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request - mcrypt buffer overflow flaw Hi, On Thursday 06 September 2012 09:37:14 Vincent Danen wrote: > A buffer overflow was reported , in mcrypt version 2.6.8 and > earlier due to a boundary error in the processing of an encrypted file > (via the check_file_head() function in src/extra.c). If a user were > tricked into attempting to decrypt a specially-crafted .nc encrypted > flie, this flaw would cause a stack-based buffer overflow that could > potentially lead to arbitrary code execution. I'm attaching a patch that makes mcrypt abort when the salt is longer than the temp buffer it uses. While working on it, I noticed the err_ functions do not have a constant printf format, yet there are calls such as: sprintf(tmperr, _("Input File: %s\n"), infile); err_info(tmperr); [print_enc_info in src/extra.c] And a few others in src/mcrypt.c; for instance: $ mcrypt --no-openpgp "%s.nc" mcrypt: h���Fn�`.nc is not a regular file. Skipping... I'm attaching another patch that prevents the format string attacks. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net View attachment "mcrypt-format-strings.patch" of type "text/x-patch" (711 bytes) View attachment "CVE-2012-4409.patch" of type "text/x-patch" (589 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ