Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Sep 2012 13:59:25 -0500
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request - mcrypt buffer overflow flaw

On Thursday 06 September 2012 15:44:54 Vincent Danen wrote:
> * [2012-09-06 15:11:27 -0500] Raphael Geissert wrote:
> >I'm attaching a patch that makes mcrypt abort when the salt is longer
> >than the temp buffer it uses.

I should have probably mentioned this before for those reviewing the patch 
(or better, added a comment to the patch):
Even though the patch checks for salt_size > sizeof(tmp_buf) which is 101, 
and later the memmove copies to decrypt_general() (src/classic.c)'s 
local_salt, which is 100-long, the salt_size can't be an odd number (it is 
decreased by one to make it even-numbered). So, there can't be a one-byte 
overflow.

> >I'm attaching another patch that prevents the format string attacks.
> 
> Fantastic, thanks for this.  I suppose the format string issues may
> require another CVE name?  I'm not sure if they're exploitable or not
> (no chance right now to look at it further).

I didn't spend much time on them, but none seemed to be exploitable.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ