[PLDSA 14-1] New libmcrypt packages fix buffer overflows and memory leak

Krzysiek Taraszka dzimi at pld.org.pl
Thu Jan 30 14:10:48 CET 2003


- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 14-1                        security at pld.org.pl
http://www.pld.org.pl/security/                          PLD Security Team
13 January 2003 			http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------

Package        : prior to libmcrypt-2.4.22-1		
Vulnerability  : buffer overflows and memory leak
Problem-Type   : remote
PLD-specific   : no
CVE references : CAN-2003-0031, CAN-2003-0032

limbcrypt versions prior to 2.5.5 contain a number of buffer overflow
vulnerabilities that stem from imporper or lacking input validation. By
passing a longer then expected input to a number of functions (multiple
functions are affected) the user can successful make libmcrypt crash.

Another vulnerability is due to the way libmcrypt loads algorithms via
libtool. When the algorithms are loaded dynamically the each time the
algorithm is loaded a small (few kilobytes) of memory are leaked. In a
persistant enviroment (web server) this could lead to a memory exhaustion
attack that will exhaust all avaliable memory by launching repeated requests
at an application utilizing the mcrypt library.

The above problems have been fixed in version 2.5.5-1 for the
current stable distribution (ra).

We recommend that you upgrade your libmcrypt packages.

wget -c url
	will fetch the file for you
rpm -Uhv file(s)*.rpm
        will upgrade the referenced file.

If you are using "poldek" - the package manager, use the line as given below
for upgrade packages

poldek --update
        will update the internal database
poldek --upgrade 'libmcrypt*'
        will install corrected packages

If you are using "apt" - the package manager, use the line as given below
for upgrade packages

apt-get update
        will update the internal database
apt-get upgrade 'libmcrypt*'
        will install corrected packages

PLD Linux 1.0 alias ra
- --------------------

  Source archives:

ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/libmcrypt-2.5.5-1.src.rpm
       MD5 checksum: 3d12feb2f6f344da98527a46f985c0b6

  I386 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-2.5.5-1.i386.rpm
       MD5 checksum: f6df9265e85478648c80e345388a9271

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-devel-2.5.5-1.i386.rpm
       MD5 checksum: 29bf30db6d41e02d5b7d62590eec5446

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-static-2.5.5-1.i386.rpm
       MD5 checksum: f570b98f5a3b36cab6ac0a5fb2ea8ca4


  I586 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-2.5.5-1.i586.rpm
       MD5 checksum: 2a021edfd264150c670b224d75186c75

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-devel-2.5.5-1.i586.rpm
       MD5 checksum: 6c31f7e9fb025eab8242b510a2707afe

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-static-2.5.5-1.i586.rpm
       MD5 checksum: d2c814ab0a9574049c12945cea1a27c4


  I686 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-2.5.5-1.i686.rpm
       MD5 checksum: 9e811c37acc56379fae9ed44f5bb5a73

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-devel-2.5.5-1.i686.rpm
       MD5 checksum: d5e9899a13094362de1bf1a2cb78e726

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-static-2.5.5-1.i686.rpm
       MD5 checksum: 2990643f43973dec9e9c1b88f3c3d1ad


  PowerPC Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-2.5.5-1.ppc.rpm
       MD5 checksum: 3969e586391dbf08484fd214c9c9ac52

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-devel-2.5.5-1.ppc.rpm
       MD5 checksum: a7263e9857c8fa891ae60d4369ed61e4

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-static-2.5.5-1.ppc.rpm
       MD5 checksum: 5b4cf6081a702988eef631ba0bcaccea


-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.

For i386 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security



More information about the pld-security-announce mailing list