Summary: | <app-crypt/mcrypt-2.6.8-r2: Decryption Header Processing Buffer Overflow Vulnerability (CVE-2012-4409) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | robbat2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/50507/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 440778 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2012-09-06 11:58:19 UTC
Just in case, there is a preliminary patch: http://www.openwall.com/lists/oss-security/2012/09/06/8 CVE-2012-4409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4409): Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted header containing long salt data that is not properly handled during decryption. Fixed in mcrypt-2.6.8-r2 Thanks, everyone. New GLSA request filed. This issue was resolved and addressed in GLSA 201405-19 at http://security.gentoo.org/glsa/glsa-201405-19.xml by GLSA coordinator Sean Amoss (ackle). |