Date: Mon, 5 Jun 2017 21:32:11 -0400 From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Subject: Crypto++ and invalid read in decompressor class Hi Everyone, Crypto++'s (https://www.cryptopp.com/) is a free and open source library of cryptographic schemes originally written by Wei Dai. Smart fuzzing revealed Crypto++'s Zinflate class, used by classes like Gunzip and Inflator, could perform an out-of-bounds read when decompressing data. The out-of-bounds read occurs on a table with 30 elements. The table is static and its storage is allocated in initialized memory. The attacker can craft a ZIP file that allows a read of the last two non-existent elements. We believe an attacker can only read 0-bytes due to the storage allocation. We were not able to escalate it to a write. We believe its a low risk finding. We were not able to induce failures in other classes using the techniques. Other classes include those that are related, like compressors; and those which are unrelated, like public and private keys. The issue is being tracked by the library at https://github.com/weidai11/cryptopp/issues/414. The Gentoo folks assigned CVE-2017-9434 to track the issue. The fix is available in Master. It is also available for several versions of the library at https://github.com/weidai11/cryptopp/issues/414#issuecomment-300671740 . Jeff
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.