Date: Mon, 10 Sep 2012 13:59:25 -0500 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request - mcrypt buffer overflow flaw On Thursday 06 September 2012 15:44:54 Vincent Danen wrote: > * [2012-09-06 15:11:27 -0500] Raphael Geissert wrote: > >I'm attaching a patch that makes mcrypt abort when the salt is longer > >than the temp buffer it uses. I should have probably mentioned this before for those reviewing the patch (or better, added a comment to the patch): Even though the patch checks for salt_size > sizeof(tmp_buf) which is 101, and later the memmove copies to decrypt_general() (src/classic.c)'s local_salt, which is 100-long, the salt_size can't be an odd number (it is decreased by one to make it even-numbered). So, there can't be a one-byte overflow. > >I'm attaching another patch that prevents the format string attacks. > > Fantastic, thanks for this. I suppose the format string issues may > require another CVE name? I'm not sure if they're exploitable or not > (no chance right now to look at it further). I didn't spend much time on them, but none seemed to be exploitable. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ