Date: Thu, 6 Sep 2012 14:44:54 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request - mcrypt buffer overflow flaw * [2012-09-06 15:11:27 -0500] Raphael Geissert wrote: >On Thursday 06 September 2012 09:37:14 Vincent Danen wrote: >> A buffer overflow was reported , in mcrypt version 2.6.8 and >> earlier due to a boundary error in the processing of an encrypted file >> (via the check_file_head() function in src/extra.c). If a user were >> tricked into attempting to decrypt a specially-crafted .nc encrypted >> flie, this flaw would cause a stack-based buffer overflow that could >> potentially lead to arbitrary code execution. > >I'm attaching a patch that makes mcrypt abort when the salt is longer than >the temp buffer it uses. > >While working on it, I noticed the err_ functions do not have a constant >printf format, yet there are calls such as: > sprintf(tmperr, _("Input File: %s\n"), infile); > err_info(tmperr); >[print_enc_info in src/extra.c] > >And a few others in src/mcrypt.c; for instance: >$ mcrypt --no-openpgp "%s.nc" >mcrypt: h?????????Fn???`.nc is not a regular file. Skipping... > >I'm attaching another patch that prevents the format string attacks. Fantastic, thanks for this. I suppose the format string issues may require another CVE name? I'm not sure if they're exploitable or not (no chance right now to look at it further). -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ