LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

libmcrypt: buffer overflows and memory exhaustion

Package(s):libmcrypt CVE #(s):CAN-2003-0031 CAN-2003-0032
Created:January 6, 2003 Updated:February 27, 2003
Description: libmcrypt versions prior to 2.5.5 contain a number of buffer overflow vulnerabilities that stem from improper or lacking input validation. By passing a longer than expected input to a number of functions (multiple functions are affected) the user can successful make libmcrypt crash.

Another vulnerability is due to the way libmcrypt loads algorithms via libtool. When the algorithms are loaded dynamically the each time the algorithm is loaded a small (few kilobytes) of memory are leaked. In a persistant enviroment (web server) this could lead to a memory exhaustion attack that will exhaust all avaliable memory by launching repeated requests at an application utilizing the mcrypt library.

Alerts:
SuSE SuSE-SA:2003:0010 2003-02-26
Conectiva CLA-2003:567 2003-02-05
Debian DSA-228-1 2003-01-14
Gentoo 200301-4 2003-01-05
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds