Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Sep 2012 14:48:00 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Raphael Geissert <geissert@...ian.org>
Subject: Re: CVE request - mcrypt buffer overflow flaw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2012 02:11 PM, Raphael Geissert wrote:
> Hi,
> 
> On Thursday 06 September 2012 09:37:14 Vincent Danen wrote:
>> A buffer overflow was reported [1],[2] in mcrypt version 2.6.8
>> and earlier due to a boundary error in the processing of an
>> encrypted file (via the check_file_head() function in
>> src/extra.c).  If a user were tricked into attempting to decrypt
>> a specially-crafted .nc encrypted flie, this flaw would cause a
>> stack-based buffer overflow that could potentially lead to
>> arbitrary code execution.
> 
> I'm attaching a patch that makes mcrypt abort when the salt is
> longer than the temp buffer it uses.
> 
> While working on it, I noticed the err_ functions do not have a
> constant printf format, yet there are calls such as: 
> sprintf(tmperr, _("Input File: %s\n"), infile); err_info(tmperr); 
> [print_enc_info in src/extra.c]
> 
> And a few others in src/mcrypt.c; for instance: $ mcrypt
> --no-openpgp "%s.nc" mcrypt: h���Fn�`.nc is not a regular file.
> Skipping...
> 
> I'm attaching another patch that prevents the format string
> attacks.
> 
> Cheers,

Please use CVE-2012-4426 for these format string issues.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUkZ/AAoJEBYNRVNeJnmTP9YP/11qqwwMjEnej8e4hRYFcqtB
8w/nqDoOGDwyxMLRYW7K3OjS5oBxNUOSsLcuNjpeNOJ+9EKNXpSfCR66Q8pJ0DHT
mCbkPWQFaRMXkFLJCtXA1c5vEGdC2bG6EACflxmKmnwUlT/zJzXDa1q1DD3re4hI
HYy+dkFwVOvpyNoQhRLAi6KpRDzkTK6ohf7dMQmZ+1v2DKEtVja+fycWqJm09zRm
Zoen4lZTeiZZT1nV8CQJrHjIuEeVnULyYZpVDUvzrWA4yttFalz+hsGUPSxwvGFp
5iwm42i+Q20bLmij44c5i09kRuo6Cx1BhlfTwRLk3dMN7cDZGUd7jHuzaL/VlndI
/ybY+3pNQZlvATn0y/fI53yaJhYypgnM+CUF+l4LaLGgneGj/hYamBGfEvcG9rJw
vyI9c2Wxr07byFQXV9Z3Y73u+q4gePfXsjw2cMt59xlkugEvQMcviEdQMPp/RUMt
KGHrbV2p4okxP35qo7zF7ztXG5/vW8bvIemwiYfaBnXBFArPCYgtYzpc4tlb/0Nj
4ZtCQ8n63k62+PJpdTvXbMMtMXBTK04lJd8o1U7wtZpphJQbKl4A0bPYc6vWVarj
fr6A8mp1bDI+hT1LH/nUjFmpudHafy5g3/9tiE+BG8Ozs1RUz3B4b6GzbuVjuTQq
c5iHRTdGSQL2i6EBVuPW
=G+yt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ