Home page logo
/

bugtraq logo Bugtraq mailing list archives

RSAREF2 buffer overflow patch
From: core.lists.bugtraq () CORE-SDI COM (Gerardo Richarte)
Date: Fri, 10 Dec 1999 22:24:01 -0300


    While exchanging emails with CERT about the problem in RSAREF2 they
told me that somebody anonymous observed that there may be problem on
the
patch we released for RSAREF2. Together we produced a new version of
this
patch, which you can find in
ftp://www.core-sdi.com/pub/patches/rsaref2.patch
or at the end of this email.
    While we [Core SDI S.A.] and the CERT are not aware of any exploit
that bypasses
the checks performed by the previous version, this new version is more
strict than the
other, so we recommend you to use it.
    We still think that RSAREF's problem need to be solved a little
better that with a
patch, but still this is more than what we can legally do... while it's
obligatory to use
RSAREF [only] in the USA, nobody can legally alter its sources, so be
careful when
changing them.

    richie

PS: You must apply this new patch to the original version of rsa.c.

--------------------------------------- rsaref2.patch
*** rsa.original.c Fri Mar 26 14:01:48 1994
--- rsa.c Fri Dec 10 12:56:34 1999
***************
*** 33,38 ****
--- 33,41 ----
    unsigned char byte, pkcsBlock[MAX_RSA_MODULUS_LEN];
    unsigned int i, modulusLen;

+   if (publicKey->bits > MAX_RSA_MODULUS_BITS)
+     return (RE_LEN);
+
    modulusLen = (publicKey->bits + 7) / 8;
    if (inputLen + 11 > modulusLen)
      return (RE_LEN);
***************
*** 78,83 ****
--- 81,89 ----
    unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
    unsigned int i, modulusLen, pkcsBlockLen;

+   if (publicKey->bits > MAX_RSA_MODULUS_BITS)
+     return (RE_LEN);
+
    modulusLen = (publicKey->bits + 7) / 8;
    if (inputLen > modulusLen)
      return (RE_LEN);
***************
*** 128,133 ****
--- 134,142 ----
    int status;
    unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
    unsigned int i, modulusLen;
+
+   if (privateKey->bits > MAX_RSA_MODULUS_BITS)
+     return (RE_LEN);

    modulusLen = (privateKey->bits + 7) / 8;
    if (inputLen + 11 > modulusLen)
***************
*** 168,173 ****
--- 177,185 ----
    unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
    unsigned int i, modulusLen, pkcsBlockLen;

+   if (privateKey->bits > MAX_RSA_MODULUS_BITS)
+     return (RE_LEN);
+
    modulusLen = (privateKey->bits + 7) / 8;
    if (inputLen > modulusLen)
      return (RE_LEN);


--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com

--- For a personal reply use gera () core-sdi com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]