Executive Summary
| Summary | |
|---|---|
| Title | New libmcrypt packages fix buffer overflows and memory leak |
| Informations | |||
|---|---|---|---|
| Name | DSA-228 | First vendor Publication | 2003-01-14 |
| Vendor | Debian | Last vendor Modification | 2003-01-14 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Ilia Alshanetsky discovered several buffer overflows in libmcrypt, a decryption and encryption library, that originates in from improper or lacking input validation. By passing input which is longer then expected to a number of functions (multiple functions are affected) the user can successful make libmcrypt crash and may be able to insert arbitrary, malicious, code which will be executed under the user libmcrypt runs as, e.g. inside a web server. Another vulnerability exists in the way libmcrypt loads algorithms via libtool. When different algorithms are loaded dynamically, each time an algorithm is loaded a small part of memory is leaked. In a persistant enviroment (web server) this could lead to a memory exhaustion attack that will exhaust all avaliable memory by launching repeated requests at an application utilizing the mcrypt library. For the current stable distribution (woody) this problem has been fixed in version 2.5.0-1woody1. The old stable distribution (potato) does not contain libmcrypt packages. For the unstable distribution (sid) these problems have been fixed in version 2.5.5-1. We recommend that you upgrade your libmcrypt packages. |
Original Source
| Url : http://www.debian.org/security/2003/dsa-228 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 4 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-09-04 | Name : FreeBSD Ports: libmcrypt File : nvt/freebsd_libmcrypt.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 228-1 (libmcrypt) File : nvt/deb_228_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 9685 | libmcrypt libtool Request Saturation DoS libmcrypt contains a flaw that may allow a remote denial of service. The issue is triggered when libmcrypt loads algorithms via libtool, which will cause a memory leak. By repeating the requests for libmcrypt, a remote attacker can exhaust the memory on the system. This flaw leads to a loss of availablity. |
| 9684 | libmcrypt Multiple Unspecified Overflow DoS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-04-23 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_c4b7badf24ca11d882e50020ed76ef5a.nasl - Type : ACT_GATHER_INFO |
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-228.nasl - Type : ACT_GATHER_INFO |
| 2004-07-25 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2003_0010.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:30:19 |
|
