Red Hat Bugzilla – Bug 440049
CVE-2008-1552 libsilc: buffer overflow in PKCS#1 message decoding
Last modified: 2008-05-12 13:16:00 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1552 to the following vulnerability:
The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC Client before 1.1.4, and SILC Server before 1.1.2 allows remote attackers to execute arbitrary code via a crafted PKCS#1 message, which triggers an integer underflow, signedness error, and a buffer overflow. NOTE: the researcher describes this as an integer overflow, but CVE uses the "underflow" term in cases of wraparound from unsigned subtraction.
Commit in upstream GIT:
Fedora packages already fixed:
Created attachment 303537 [details]
Upstream patch (for posterity)
We won't be fixing this issue for Red Hat Enterprise Linux 4 and 5.
This flaw can only result in the crash of the client (pidgin in this instance,
nothing else uses libsilc). The flaw in question results in the following code:
memcpy(dest_data, data + i, data_len - i);
Where (data_len - i) = -1, that results in memcpy trying to copy a huge amount
of memory, which will crash long before any arbitrary code execution is possible.
The crash is only possible if a client connects to a malicious server. As this
crash requires the user action to crash the application, we do not consider it
to be a security flaw.
Closing, based on comment #2 and comment #4.
To clarify comment #4 a bit:
When this flaw is exercised, (data_len - i) will always be -1, which means the
memcpy call ends up being:
memcpy(dest_data, data+i, -1)
The size variable in this instance is of size_t type, which means this will
translate into all addressable memory on the system. This makes the memcpy call
impossible to return from.