oss-sec mailing list archives
Re: CVE request - mcrypt buffer overflow flaw
From: Vincent Danen <vdanen () redhat com>
Date: Thu, 6 Sep 2012 14:44:54 -0600
* [2012-09-06 15:11:27 -0500] Raphael Geissert wrote:
On Thursday 06 September 2012 09:37:14 Vincent Danen wrote:A buffer overflow was reported [1],[2] in mcrypt version 2.6.8 and earlier due to a boundary error in the processing of an encrypted file (via the check_file_head() function in src/extra.c). If a user were tricked into attempting to decrypt a specially-crafted .nc encrypted flie, this flaw would cause a stack-based buffer overflow that could potentially lead to arbitrary code execution.I'm attaching a patch that makes mcrypt abort when the salt is longer than the temp buffer it uses. While working on it, I noticed the err_ functions do not have a constant printf format, yet there are calls such as: sprintf(tmperr, _("Input File: %s\n"), infile); err_info(tmperr); [print_enc_info in src/extra.c] And a few others in src/mcrypt.c; for instance: $ mcrypt --no-openpgp "%s.nc" mcrypt: h?????????Fn???`.nc is not a regular file. Skipping... I'm attaching another patch that prevents the format string attacks.
Fantastic, thanks for this. I suppose the format string issues may require another CVE name? I'm not sure if they're exploitable or not (no chance right now to look at it further). --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 10)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Vincent Danen (Sep 06)
- Re: CVE request - mcrypt buffer overflow flaw Eygene Ryabinkin (Sep 11)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 12)
- Re: CVE request - mcrypt buffer overflow flaw Kurt Seifried (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 13)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 12)
- Re: CVE request - mcrypt buffer overflow flaw Raphael Geissert (Sep 15)