Bug 440049 (CVE-2008-1552)

Summary: CVE-2008-1552 libsilc: buffer overflow in PKCS#1 message decoding
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: stu, toniw, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1552
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-24 07:19:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 438382    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch (for posterity) none

Description Tomas Hoger 2008-04-01 14:56:06 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1552 to the following vulnerability:

The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC Client before 1.1.4, and SILC Server before 1.1.2 allows remote attackers to execute arbitrary code via a crafted PKCS#1 message, which triggers an integer underflow, signedness error, and a buffer overflow.  NOTE: the researcher describes this as an integer overflow, but CVE uses the "underflow" term in cases of wraparound from unsigned subtraction.

Refences:
http://www.securityfocus.com/archive/1/archive/1/490069/100/0/threaded
http://www.coresecurity.com/?action=item&id=2206
http://silcnet.org/general/news/?item=client_20080320_1
http://silcnet.org/general/news/?item=server_20080320_1
http://silcnet.org/general/news/?item=toolkit_20080320_1
http://www.securityfocus.com/bid/28373
http://www.frsirt.com/english/advisories/2008/0974/references
http://www.securitytracker.com/id?1019690
http://secunia.com/advisories/29463
Comment 1 Tomas Hoger 2008-04-01 15:20:04 UTC 
Commit in upstream GIT:

http://git.silcnet.org/gitweb/?p=silc.git;a=commitdiff;h=b36495161037e52ad993202da5d3df1837235d24
Comment 2 Tomas Hoger 2008-04-01 15:39:12 UTC 
Fedora packages already fixed:

https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2616
https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2641
Comment 3 Josh Bressers 2008-04-23 19:09:23 UTC 
Created attachment 303537 [details]
Upstream patch (for posterity)
Comment 4 Josh Bressers 2008-04-23 19:24:25 UTC 
We won't be fixing this issue for Red Hat Enterprise Linux 4 and 5.

This flaw can only result in the crash of the client (pidgin in this instance,
nothing else uses libsilc).  The flaw in question results in the following code:
    memcpy(dest_data, data + i, data_len - i);
Where (data_len - i) = -1, that results in memcpy trying to copy a huge amount
of memory, which will crash long before any arbitrary code execution is possible.

The crash is only possible if a client connects to a malicious server.  As this
crash requires the user action to crash the application, we do not consider it
to be a security flaw.
Comment 5 Tomas Hoger 2008-04-24 07:19:26 UTC 
Closing, based on comment #2 and comment #4.
Comment 6 Josh Bressers 2008-05-12 17:16:00 UTC 
To clarify comment #4 a bit:

When this flaw is exercised, (data_len - i) will always be -1, which means the
memcpy call ends up being:

memcpy(dest_data, data+i, -1)

The size variable in this instance is of size_t type, which means this will
translate into all addressable memory on the system.  This makes the memcpy call
impossible to return from.