mailing list archives
Re: CVE request - mcrypt buffer overflow flaw
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 02 Oct 2012 13:20:20 -0600
-----BEGIN PGP SIGNED MESSAGE-----
On 10/02/2012 12:42 PM, Raphael Geissert wrote:
I think at least one more CVE id needs to be assigned:
On Saturday 15 September 2012 19:22:06 Raphael Geissert wrote:
On Tuesday 11 September 2012 10:19:38 Eygene Ryabinkin wrote:
Another week, another couple of patches. One makes it use strncpy
and forces a NUL on the last byte of local_algorithm, local_mode,
and local_keymode. Their values are checked later on, so it seems
safe to pass unvalidated data. The size of the buffers is
hard-coded to avoid making many changes to the code.
I think this needs a separate id, since fixes were released by
Fedora and Debian referencing CVE-2012-4409 but only for the
Eygene's followup issues have been fixed in Debian without
referencing a CVE id.
Can you post a link to source fixes/commits? Thanks.
Once those issues were fixed I noticed that salt_size is not
initialized if the salt flag is not set. The result is an
inconditional call to malloc, with an uninitialized int as
argument. This can lead to a non-attacker-controlled memory
consumption DoS in most cases. It makes me think nobody actually
ever used it without a salt.
I've no strong opinion on whether this deserves an id.
Hrmm there's a thought, has this DoS been confirmed? As we've probably
seen over the last year more than a few sites fail to salt their
stored passwords =(.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----