FYI... ---------- Forwarded message ---------- From: Jeffrey Walton <noloa...@gmail.com> Date: Mon, Jun 5, 2017 at 9:32 PM Subject: Crypto++ and invalid read in decompressor class To: oss-secur...@lists.openwall.com
Hi Everyone, Crypto++'s (https://www.cryptopp.com/) is a free and open source library of cryptographic schemes originally written by Wei Dai. Smart fuzzing revealed Crypto++'s Zinflate class, used by classes like Gunzip and Inflator, could perform an out-of-bounds read when decompressing data. The out-of-bounds read occurs on a table with 30 elements. The table is static and its storage is allocated in initialized memory. The attacker can craft a ZIP file that allows a read of the last two non-existent elements. We believe an attacker can only read 0-bytes due to the storage allocation. We were not able to escalate it to a write. We believe its a low risk finding. We were not able to induce failures in other classes using the techniques. Other classes include those that are related, like compressors; and those which are unrelated, like public and private keys. The issue is being tracked by the library at https://github.com/weidai11/cryptopp/issues/414. The Gentoo folks assigned CVE-2017-9434 to track the issue. The fix is available in Master. It is also available for several versions of the library at https://github.com/weidai11/cryptopp/issues/414#issuecomment-300671740 Jeff -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to cryptopp-users-unsubscr...@googlegroups.com. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
