Date: Mon, 10 Sep 2012 13:59:25 -0500 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request - mcrypt buffer overflow flaw On Thursday 06 September 2012 15:44:54 Vincent Danen wrote: > * [2012-09-06 15:11:27 -0500] Raphael Geissert wrote: > >I'm attaching a patch that makes mcrypt abort when the salt is longer > >than the temp buffer it uses. I should have probably mentioned this before for those reviewing the patch (or better, added a comment to the patch): Even though the patch checks for salt_size > sizeof(tmp_buf) which is 101, and later the memmove copies to decrypt_general() (src/classic.c)'s local_salt, which is 100-long, the salt_size can't be an odd number (it is decreased by one to make it even-numbered). So, there can't be a one-byte overflow. > >I'm attaching another patch that prevents the format string attacks. > > Fantastic, thanks for this. I suppose the format string issues may > require another CVE name? I'm not sure if they're exploitable or not > (no chance right now to look at it further). I didn't spend much time on them, but none seemed to be exploitable. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.