lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: aliz at gentoo.org (Daniel Ahlberg)
Subject: GLSA:  libmcrypt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200301-4
- - --------------------------------------------------------------------

PACKAGE : libmcrypt
SUMMARY : buffer overflows and memory exhaustion
DATE    : 2003-01-05 12:01 UTC
EXPLOIT : remote

- - --------------------------------------------------------------------

Post by Ilia Alshanetsky <ilia@...host.org>:

"limbcrypt versions prior to 2.5.5 contain a number of buffer 
overflow vulnerabilities that stem from imporper or lacking input 
validation. By  passing a longer then expected input to a number of 
functions (multiple functions are affected) the user can successful 
make libmcrypt crash. 
 
Another vulnerability is due to the way libmcrypt loads algorithms via  
libtool. When the algorithms are loaded dynamically the each time the  
algorithm is loaded a small (few kilobytes) of memory are leaked. In a  
persistant enviroment (web server) this could lead to a memory 
exhaustion attack that will exhaust all avaliable memory by launching 
repeated requests at an application utilizing the mcrypt library. 
 
The solution to both of these problem is to upgrade to the latest 
release of libmcrypt, 2.5.5."

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-libs/libmcrypt-2.5.1-r4 or earlier update their systems as 
follows:

emerge rsync
emerge libmcrypt
emerge clean

- - --------------------------------------------------------------------
aliz@...too.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+GCDqfT7nyhUpoZMRAgLTAJ9wkfPJg1Z4f0d5krJpObWVGtPwJgCfYQ7o
a7jfaOOalcN+xeBczQjxAds=
=vxQ0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ