Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Oct 2012 20:14:25 -0500
From: Raphael Geissert <>
To: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,,
 Attila Bogar <>
Subject: Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names

Hi Jan, everyone,

[BCC'ing Malcolm Parsons, who sent me an email about the tmperr buffer 
overflow this morning. Not sure if he discovered it independently.]

On Thursday 18 October 2012 08:50:37 Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>   Attila Bogar reported a stack-based buffer overflow
> in the way MCrypt, a crypt() package and crypt(1) command
> replacement, used to encrypt / decrypt files with overly
> long names (longer than 128 bytes). A remote attacker
> could provide a specially-crafted file that, when processed
> by the mcrypt too, would lead to mcrypt executable crash [*].
> A different vulnerability than CVE-2012-4409:
> References:
> [2]
> Patch proposed by Attila:
> [3]

Why 132? tmperr is declared as:
char tmperr[128];

That would still allow some bytes to be overwritten.

> P.S.: I am not sure about relation of this issue to the issue
>       Raphael Geissert reported previously:
>       [4]
>       so CC-in him too, he to clarify if [2] == [4], or if
>       they are yet different issues. Raphael, please clarify.

They are different issues. The closest is CVE-2012-4426[5].

I didn't look much into those other buffers as they would require an attacker 
to control the arguments passed to mcrypt(1) to exploit them.

Kurt, regarding the issues in [4], I don't know what other reference you 
want me to add. There's nothing more than what's on the thread.


Raphael Geissert - Debian Developer -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.