Gentoo: libmcrypt buffer overflow vulnerabilities
Posted by LinuxSecurity.com Team   
Gentoo limbcrypt versions prior to 2.5.5 contain a number of buffer overflow vulnerabilities that stem from imporper or lacking input validation.

- --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200301-4
- --------------------------------------------------------------------

PACKAGE : libmcrypt
SUMMARY : buffer overflows and memory exhaustion
DATE    : 2003-01-05 12:01 UTC
EXPLOIT : remote

- --------------------------------------------------------------------

Post by Ilia Alshanetsky <ilia@prohost.org>:

"limbcrypt versions prior to 2.5.5 contain a number of buffer
overflow vulnerabilities that stem from imporper or lacking input
validation. By  passing a longer then expected input to a number of
functions (multiple functions are affected) the user can successful
make libmcrypt crash.

Another vulnerability is due to the way libmcrypt loads algorithms via
libtool. When the algorithms are loaded dynamically the each time the
algorithm is loaded a small (few kilobytes) of memory are leaked. In a
persistant enviroment (web server) this could lead to a memory
exhaustion attack that will exhaust all avaliable memory by launching
repeated requests at an application utilizing the mcrypt library.

The solution to both of these problem is to upgrade to the latest
release of libmcrypt, 2.5.5."

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-libs/libmcrypt-2.5.1-r4 or earlier update their systems as
follows:

emerge rsync
emerge libmcrypt
emerge clean

- --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- --------------------------------------------------------------------