Check max buffer lengths when parsing metadata packets
Bug #401810 reported by
Tyler Hicks
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| eCryptfs |
Fix Released
|
Critical
|
Tyler Hicks | ||
| linux (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
Each eCryptfs file has metadata associated with it that is normally stored in the header of the file. The metadata is stored in "packet" form according to RFC 2440 "OpenPGP Message Format". Each packet has a header section itself, which has fields such as the packet length. When reading the packet contents, the packet length field is used for the memcpy to the destination buffer but is not checked against the size of the destination buffer. This could result in a buffer overflow if a malicious user hand-modifies the packet length field.
CVE References
Revision history for this message
| Tyler Hicks (tyhicks) wrote | #1 |
| Changed in ecryptfs-utils (Ubuntu): | |
| status: | New → In Progress |
| importance: | Undecided → Critical |
Revision history for this message
| Tyler Hicks (tyhicks) wrote | #3 |
Revision history for this message
| Tyler Hicks (tyhicks) wrote | #4 |
| Changed in ecryptfs: | |
| status: | In Progress → Fix Released |
| visibility: | private → public |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #5 |
| affects: | ecryptfs-utils (Ubuntu) → linux (Ubuntu) |
| Changed in linux (Ubuntu): | |
| status: | In Progress → Fix Released |
To post a comment you must log in.
Updating this patch due to an small error. "goto out;" was changed to "goto out_free;".