Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 31 Mar 2008 17:08:03 -0400 (EDT)
From: "Steven M. Christey" <>
To: Ludwig Nussel <>
cc: "Steven M. Christey" <>,
        oss-security <>
Subject: Re: CVE request: silc

Name: CVE-2008-1552
Status: Candidate
Reference: BUGTRAQ:20080325 CORE-2007-1212: SILC pkcs_decode buffer overflow
Reference: URL:
Reference: MISC:
Reference: CONFIRM:
Reference: CONFIRM:
Reference: CONFIRM:
Reference: BID:28373
Reference: URL:
Reference: FRSIRT:ADV-2008-0974
Reference: URL:
Reference: SECTRACK:1019690
Reference: URL:
Reference: SECUNIA:29463
Reference: URL:

The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c)
in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC
Client before 1.1.4, and SILC Server before 1.1.2 allows remote
attackers to execute arbitrary code via a crafted PKCS#1 message,
which triggers an integer underflow, signedness error, and a buffer
overflow.  NOTE: the researcher describes this as an integer overflow,
but CVE uses the "underflow" term in cases of wraparound from unsigned

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.