Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 5 Jun 2017 21:32:11 -0400
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Subject: Crypto++ and invalid read in decompressor class

Hi Everyone,

Crypto++'s (https://www.cryptopp.com/) is a free and open source
library of cryptographic schemes originally written by Wei Dai. Smart
fuzzing revealed Crypto++'s Zinflate class, used by classes like
Gunzip and Inflator, could perform an out-of-bounds read when
decompressing data.

The out-of-bounds read occurs on a table with 30 elements. The table
is static and its storage is allocated in initialized memory. The
attacker can craft a ZIP file that allows a read of the last two
non-existent elements. We believe an attacker can only read 0-bytes
due to the storage allocation. We were not able to escalate it to a
write. We believe its a low risk finding.

We were not able to induce failures in other classes using the
techniques. Other classes include those that are related, like
compressors; and those which are unrelated, like public and private
keys.

The issue is being tracked by the library at
https://github.com/weidai11/cryptopp/issues/414. The Gentoo folks
assigned CVE-2017-9434 to track the issue.

The fix is available in Master. It is also available for several
versions of the library at
https://github.com/weidai11/cryptopp/issues/414#issuecomment-300671740
.

Jeff

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ