Bug 418481 - mcrypt 2.6.6-2 / libmcrypt 2.5.8-4 crash with buffer overflow when encrypting
mcrypt 2.6.6-2 / libmcrypt 2.5.8-4 crash with buffer overflow when encrypting
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mcrypt (Show other bugs)
8
i386 Linux
low Severity urgent
: ---
: ---
Assigned To: Tom "spot" Callaway
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-10 12:32 EST by Olin Shivers
Modified: 2008-02-19 15:26 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.6.7-1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-02 20:41:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Olin Shivers 2007-12-10 12:32:41 EST
Description of problem:
-----------------------
I am running a fresh Fedora 8 install on an IBM ThinkPad X31. I have
the latest yum-installed updates. Uname says of my system:
    2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007 i686 i686 i386 GNU/Linux

The bug: I cannot get mcrypt to encrypt. It will *decrypt*, but
it crashes on encryption, reporting a buffer overflow. I have
selinux running in permissive/warning mode, so it should not be
messing with things, by the way.

Encryption is pretty basic to administering a machine, e.g. for backups
and so forth. So this seems like a pretty critical thing to go wrong.
It worked fine under my previous Fedora 7 install on the same machine.
(By the way, when I say "fresh Fedora 8 install" above, I mean
that I started with a new, blank disk drive and installed F8 onto
it, then tweaked the /etc files & copied a /home partition over
from an older drive.)

Given how basic encryption is, it is a little suspicious that this bug
doesn't already appear in the bugzilla base -- makes me wonder if there
is something particular about my system. I will be interested to see if
y'all can reproduce the bug on your own 386 systems.

Note that mcrypt works fine on my x86_64 ubuntu systems -- which
are providing the older mcrypt 2.6.4 and libmcrypt 2.5.7.


Version-Release number of selected component (if applicable):
-------------------------------------------------------------
mcrypt.i386 0:2.6.6-2.fc8
libmcrypt.i386 0:2.5.8-4.fc8


How reproducible:
-----------------
Easily reproducible with 100% reliability on my system. I do not have access
to other Fedora 8 systems on which to try it.  


Steps to Reproduce:
-------------------
1. Encrypt the string "foo" with key "bar" & throw away the result, with:
       echo foo | /usr/bin/mcrypt -k bar > /dev/null
2. Hopefully, observe crash shown below.

  
Actual results:
---------------
% echo foo | /usr/bin/mcrypt -k bar > /dev/null
Warning: It is insecure to specify keywords in the command line
*** buffer overflow detected ***: mcrypt terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0xd12b58]
/lib/libc.so.6[0xd11200]
mcrypt[0x8052130]
mcrypt[0x8053f33]
mcrypt[0x804dcab]
mcrypt[0x804c4f5]
/lib/libc.so.6(__libc_start_main+0xe0)[0xc3f390]
mcrypt[0x8049f71]
======= Memory map: ========
00110000-00111000 r-xp 00110000 00:00 0          [vdso]
00111000-0013c000 r-xp 00000000 08:06 1851066    /usr/lib/libmcrypt.so.4.4.8
0013c000-0013f000 rwxp 0002b000 08:06 1851066    /usr/lib/libmcrypt.so.4.4.8
0013f000-00144000 rwxp 0013f000 00:00 0 
00144000-0014e000 r-xp 00000000 08:06 2056428    /lib/libnss_files-2.7.so
0014e000-0014f000 r-xp 00009000 08:06 2056428    /lib/libnss_files-2.7.so
0014f000-00150000 rwxp 0000a000 08:06 2056428    /lib/libnss_files-2.7.so
0015e000-00179000 r-xp 00000000 08:06 2058814    /lib/ld-2.7.so
00179000-0017a000 r-xp 0001a000 08:06 2058814    /lib/ld-2.7.so
0017a000-0017b000 rwxp 0001b000 08:06 2058814    /lib/ld-2.7.so
001b2000-001f8000 r-xp 00000000 08:06 1852264    /usr/lib/libmhash.so.2.0.1
001f8000-001f9000 rwxp 00046000 08:06 1852264    /usr/lib/libmhash.so.2.0.1
00c29000-00d7c000 r-xp 00000000 08:06 2058815    /lib/libc-2.7.so
00d7c000-00d7e000 r-xp 00153000 08:06 2058815    /lib/libc-2.7.so
00d7e000-00d7f000 rwxp 00155000 08:06 2058815    /lib/libc-2.7.so
00d7f000-00d82000 rwxp 00d7f000 00:00 0 
00dd1000-00de3000 r-xp 00000000 08:06 2058818    /lib/libz.so.1.2.3
00de3000-00de4000 rwxp 00011000 08:06 2058818    /lib/libz.so.1.2.3
079a7000-079b2000 r-xp 00000000 08:06 2058841    /lib/libgcc_s-4.1.2-20070925.so.1
079b2000-079b3000 rwxp 0000a000 08:06 2058841    /lib/libgcc_s-4.1.2-20070925.so.1
08048000-0805b000 r-xp 00000000 08:06 1852600    /usr/bin/mcrypt
0805b000-0805c000 rw-p 00013000 08:06 1852600    /usr/bin/mcrypt
0805c000-08083000 rw-p 0805c000 00:00 0 
09141000-09162000 rw-p 09141000 00:00 0 
b7d2c000-b7f2c000 r--p 00000000 08:06 1845236    /usr/lib/locale/locale-archive
b7f2c000-b7f2d000 rw-p b7f2c000 00:00 0 
b7f41000-b7f43000 rw-p b7f41000 00:00 0 
bf991000-bf9a6000 rw-p bffea000 00:00 0          [stack]
Aborted
%


Expected results:
-----------------
According to my ubuntu system:

    % echo foo | /usr/bin/mcrypt -k bar > /dev/null
    Warning: It is insecure to specify keywords in the command line
    Stdin was encrypted.
    %
Comment 1 Olin Shivers 2007-12-15 10:34:45 EST
Rolling back to
    mcrypt-2.6.4-3.fc6
    libmcrypt-2.5.7-5.fc6
fixes the problem. (These are the versions currently used by Ubuntu.)
    -Olin
Comment 2 Tom "spot" Callaway 2007-12-17 06:58:28 EST
Perhaps, but rolling back to older versions is a bit of a copout. I've fixed the
overflow issue, and will be pushing packages to testing shortly.
Comment 3 Fedora Update System 2007-12-20 14:52:06 EST
mcrypt-2.6.7-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mcrypt'
Comment 4 Fedora Update System 2007-12-20 15:15:33 EST
mcrypt-2.6.7-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mcrypt'
Comment 5 Fedora Update System 2008-01-02 20:41:09 EST
mcrypt-2.6.7-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-01-02 20:41:41 EST
mcrypt-2.6.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Jeff Schultz 2008-02-01 01:11:40 EST
Well, problems persist for me.  It seems to be a performance problem more than
anything else.  Encrypting very small files works, though it seems to be slow,
but anything more than a few MB just sits there chewing CPU.

I have

mcrypt-2.6.7-1.fc8
libmcrypt-2.5.8-4.fc8
Comment 8 Jeff Schultz 2008-02-01 01:37:29 EST
Rebuilding mcrypt-2.6.4-3 from FC6 on my F8 box works.  Looks like something's
been broken since.
Comment 9 Tom "spot" Callaway 2008-02-19 15:26:33 EST
Jeff, if you can give me some sort of test case, please open a new bug for the
performance problems.

Note You need to log in before you can comment on or make changes to this bug.