Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Apr 2015 00:07:22 -0400 (EDT)
From: cve-assign@...re.org
To: ben@...adent.org.uk
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, 782561@...s.debian.org
Subject: Re: Buffer overruns in Linux kernel RFC4106 implementation using AESNI

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in
> GCM decryption") fixes two bugs in pointer arithmetic that lead to
> buffer overruns (even with valid parameters!):
> 
> https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
> https://bugs.debian.org/782561
> 
> These are described as resulting in DoS (local or remote), but are
> presumably also exploitable for privilege escalation.

> As the destination buffer for decryption only needs to hold the
> plaintext memory but cryptlen references the input buffer holding
> (ciphertext || authentication tag), the assumption of the destination
> buffer length in RFC4106 GCM operation leads to a too large size. ...
> In addition, ... cryptlen already includes the size of the tag. Thus,
> the tag does not need to be added.

Use CVE-2015-3331.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVMdeRAAoJEKllVAevmvmsidIH/i/kj781LmDCrwkAoGRREwKE
Bw8eKCM7Rb5u5om8T+wfX93UBvXQEm9sms3B4LAhpvhQ+hE64M8ETsQq8/Y2J5b3
gz5UQDd57TxIiBUkKuSA6CTQxUw5m+SRd2tlZckgpBjRRWYfKZvaPj/KqI/Uztq+
/WwFU0hXDzAq650mMFGluduwpKpeDIXxtYaNajbFHJdDDhVL0eUiJv2SxUsc3cse
Okx2fFoAKXmyf7YfXN6bgZKE4A4w2LWq175/TvcDTsVzUdct3ramDPVRNBE2LCYx
JXkLV4vuoFxkCScPH6zUPOgaqC+obqCWN0XBjkXx064on9BAM/34aZgZfX5TCf0=
=KYnV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ