Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Oct 2012 20:14:25 -0500
From: Raphael Geissert <geissert@...ian.org>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
 oss-security@...ts.openwall.com,
 Attila Bogar <attila.bogar@...guamatics.com>
Subject: Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names

Hi Jan, everyone,

[BCC'ing Malcolm Parsons, who sent me an email about the tmperr buffer 
overflow this morning. Not sure if he discovered it independently.]

On Thursday 18 October 2012 08:50:37 Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
>   Attila Bogar reported a stack-based buffer overflow
> in the way MCrypt, a crypt() package and crypt(1) command
> replacement, used to encrypt / decrypt files with overly
> long names (longer than 128 bytes). A remote attacker
> could provide a specially-crafted file that, when processed
> by the mcrypt too, would lead to mcrypt executable crash [*].
> 
> A different vulnerability than CVE-2012-4409:
[...]
> References:
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=867790
> 
> Patch proposed by Attila:
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=867790#c0

Why 132? tmperr is declared as:
char tmperr[128];

That would still allow some bytes to be overwritten.

[...]
> P.S.: I am not sure about relation of this issue to the issue
>       Raphael Geissert reported previously:
>       [4] http://www.openwall.com/lists/oss-security/2012/10/02/1
> 
>       so CC-in him too, he to clarify if [2] == [4], or if
>       they are yet different issues. Raphael, please clarify.

They are different issues. The closest is CVE-2012-4426[5].

I didn't look much into those other buffers as they would require an attacker 
to control the arguments passed to mcrypt(1) to exploit them.

Kurt, regarding the issues in [4], I don't know what other reference you 
want me to add. There's nothing more than what's on the thread.

[5]http://www.openwall.com/lists/oss-security/2012/09/13/22

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.