mailing list archives
Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names
From: Raphael Geissert <geissert () debian org>
Date: Thu, 18 Oct 2012 20:14:25 -0500
Hi Jan, everyone,
[BCC'ing Malcolm Parsons, who sent me an email about the tmperr buffer
overflow this morning. Not sure if he discovered it independently.]
On Thursday 18 October 2012 08:50:37 Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,
Attila Bogar reported a stack-based buffer overflow
in the way MCrypt, a crypt() package and crypt(1) command
replacement, used to encrypt / decrypt files with overly
long names (longer than 128 bytes). A remote attacker
could provide a specially-crafted file that, when processed
by the mcrypt too, would lead to mcrypt executable crash [*].
A different vulnerability than CVE-2012-4409:
Patch proposed by Attila:
Why 132? tmperr is declared as:
That would still allow some bytes to be overwritten.
P.S.: I am not sure about relation of this issue to the issue
Raphael Geissert reported previously:
so CC-in him too, he to clarify if  == , or if
they are yet different issues. Raphael, please clarify.
They are different issues. The closest is CVE-2012-4426.
I didn't look much into those other buffers as they would require an attacker
to control the arguments passed to mcrypt(1) to exploit them.
Kurt, regarding the issues in , I don't know what other reference you
want me to add. There's nothing more than what's on the thread.
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Re: CVE Request -- mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names Raphael Geissert (Oct 19)