Check max buffer lengths when parsing metadata packets

Reported by Tyler Hicks on 2009-07-20
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eCryptfs
Critical
Tyler Hicks
linux (Ubuntu)
Critical
Unassigned

Bug Description

Each eCryptfs file has metadata associated with it that is normally stored in the header of the file. The metadata is stored in "packet" form according to RFC 2440 "OpenPGP Message Format". Each packet has a header section itself, which has fields such as the packet length. When reading the packet contents, the packet length field is used for the memcpy to the destination buffer but is not checked against the size of the destination buffer. This could result in a buffer overflow if a malicious user hand-modifies the packet length field.

CVE References

Changed in ecryptfs-utils (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
Tyler Hicks (tyhicks) wrote :

Updating this patch due to an small error. "goto out;" was changed to "goto out_free;".

visibility: private → public
Jamie Strandboge (jdstrand) wrote :

This issue was fixed in http://www.ubuntu.com/usn/usn-807-1 and is fixed in 2.6.31-rc5 (and therefore Karmic).

affects: ecryptfs-utils (Ubuntu) → linux (Ubuntu)
Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers