89779 2003-02-05 20:33 /99 rader/ <secure@conectiva.com.br> Importerad: 2003-02-05 20:33 av Brevbäraren Extern mottagare: conectiva-updates@papaleguas.conectiva.com.br Extern mottagare: lwn@lwn.net Extern mottagare: bugtraq@securityfocus.com Extern mottagare: security-alerts@linuxsecurity.com Extern mottagare: linsec@lists.seifried.org Mottagare: Bugtraq (import) <3400> Ärende: [CLA-2003:567] Conectiva Linux Security Announcement - mcrypt ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : mcrypt SUMMARY : Buffer overflow and memory leak vulnerabilities DATE : 2003-02-05 15:36:00 ID : CLA-2003:567 RELEVANT RELEASES : 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION The mcrypt package contains libmcrypt, a decryption and encryption library with support for various algorithms. Ilia Alshanetsky found[1] several buffer overflows vulnerabilities[2] in libmcrypt. These vulnerabilities basically consist of improper or lack of validation for some input (which in some scenarios can came from a local user or from a network connection). Another vulnerability[3] exists in the way libmcrypt loads algorithms via libtool. When different algorithms are loaded dynamically a small part of memory is leaked. In a persistant environment, an attacker can exhaust all available memory by launching repeated requests to an application that utilizes the mcrypt library. These vulnerabilites are fixed in libmcrypt version 2.5.5, and the changes were backported to mcrypt-2.4.9 in Conectiva Linux 7.0 and mcrypt-2.4.18 in Conectiva Linux 8. Conectiva Linux 6.0 does not ship the mcrypt package. SOLUTION All users of the package mcrypt should upgrade. Please note that in order to complete the upgrade process, you must restart all running aplications that are linked against libmcrypt after the new packages installation. You can see a list of such applications using the lsof utility, as seen below: # lsof | grep libmcrypt REFERENCES: 1.http://marc.theaimsgroup.com/?l=bugtraq&m=104162752401212&w=2 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0031 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0032 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mcrypt-2.4.9-3U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mcrypt-devel-2.4.9-3U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mcrypt-devel-static-2.4.9-3U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mcrypt-2.4.9-3U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mcrypt-2.4.18-3U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mcrypt-devel-2.4.18-3U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mcrypt-devel-static-2.4.18-3U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/mcrypt-2.4.18-3U80_1cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+QUx342jd0JmAcZARAv+KAKDcgdGyFpBigvY4Rd/LBNZiZsazpACgk8yF PQP0niGqpPEd58wRcZX4hY8= =XE/j -----END PGP SIGNATURE----- (89779) / <secure@conectiva.com.br>/------(Ombruten)