[PLDSA 14-1] New libmcrypt packages fix buffer overflows and memory
leak
Krzysiek Taraszka
dzimi at pld.org.pl
Thu Jan 30 14:10:48 CET 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 14-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
13 January 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to libmcrypt-2.4.22-1
Vulnerability : buffer overflows and memory leak
Problem-Type : remote
PLD-specific : no
CVE references : CAN-2003-0031, CAN-2003-0032
limbcrypt versions prior to 2.5.5 contain a number of buffer overflow
vulnerabilities that stem from imporper or lacking input validation. By
passing a longer then expected input to a number of functions (multiple
functions are affected) the user can successful make libmcrypt crash.
Another vulnerability is due to the way libmcrypt loads algorithms via
libtool. When the algorithms are loaded dynamically the each time the
algorithm is loaded a small (few kilobytes) of memory are leaked. In a
persistant enviroment (web server) this could lead to a memory exhaustion
attack that will exhaust all avaliable memory by launching repeated requests
at an application utilizing the mcrypt library.
The above problems have been fixed in version 2.5.5-1 for the
current stable distribution (ra).
We recommend that you upgrade your libmcrypt packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'libmcrypt*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'libmcrypt*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/libmcrypt-2.5.5-1.src.rpm
MD5 checksum: 3d12feb2f6f344da98527a46f985c0b6
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-2.5.5-1.i386.rpm
MD5 checksum: f6df9265e85478648c80e345388a9271
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-devel-2.5.5-1.i386.rpm
MD5 checksum: 29bf30db6d41e02d5b7d62590eec5446
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/libmcrypt-static-2.5.5-1.i386.rpm
MD5 checksum: f570b98f5a3b36cab6ac0a5fb2ea8ca4
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-2.5.5-1.i586.rpm
MD5 checksum: 2a021edfd264150c670b224d75186c75
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-devel-2.5.5-1.i586.rpm
MD5 checksum: 6c31f7e9fb025eab8242b510a2707afe
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/libmcrypt-static-2.5.5-1.i586.rpm
MD5 checksum: d2c814ab0a9574049c12945cea1a27c4
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-2.5.5-1.i686.rpm
MD5 checksum: 9e811c37acc56379fae9ed44f5bb5a73
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-devel-2.5.5-1.i686.rpm
MD5 checksum: d5e9899a13094362de1bf1a2cb78e726
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/libmcrypt-static-2.5.5-1.i686.rpm
MD5 checksum: 2990643f43973dec9e9c1b88f3c3d1ad
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-2.5.5-1.ppc.rpm
MD5 checksum: 3969e586391dbf08484fd214c9c9ac52
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-devel-2.5.5-1.ppc.rpm
MD5 checksum: a7263e9857c8fa891ae60d4369ed61e4
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/libmcrypt-static-2.5.5-1.ppc.rpm
MD5 checksum: 5b4cf6081a702988eef631ba0bcaccea
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list