RSAREF2 buffer overflow patch

From: Gerardo Richarte (core.lists.bugtraq@CORE-SDI.COM)
Date: Fri Dec 10 1999 - 17:24:01 PST

Next message: Erik Fichtner: "Re: sadmind exploits (remote sparc/x86)"

Previous message: Gregory A Lundberg: "Re: FTP denial of service attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    While exchanging emails with CERT about the problem in RSAREF2 they
told me that somebody anonymous observed that there may be problem on
the
patch we released for RSAREF2. Together we produced a new version of
this
patch, which you can find in
ftp://www.core-sdi.com/pub/patches/rsaref2.patch
or at the end of this email.
    While we [Core SDI S.A.] and the CERT are not aware of any exploit
that bypasses
the checks performed by the previous version, this new version is more
strict than the
other, so we recommend you to use it.
    We still think that RSAREF's problem need to be solved a little
better that with a
patch, but still this is more than what we can legally do... while it's
obligatory to use
RSAREF [only] in the USA, nobody can legally alter its sources, so be
careful when
changing them.

    richie

PS: You must apply this new patch to the original version of rsa.c.

--------------------------------------- rsaref2.patch
*** rsa.original.c Fri Mar 26 14:01:48 1994
--- rsa.c Fri Dec 10 12:56:34 1999
***************
*** 33,38 ****
--- 33,41 ----
    unsigned char byte, pkcsBlock[MAX_RSA_MODULUS_LEN];
    unsigned int i, modulusLen;

+   if (publicKey->bits > MAX_RSA_MODULUS_BITS)
+     return (RE_LEN);
+
    modulusLen = (publicKey->bits + 7) / 8;
    if (inputLen + 11 > modulusLen)
      return (RE_LEN);
***************
*** 78,83 ****
--- 81,89 ----
    unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
    unsigned int i, modulusLen, pkcsBlockLen;

+   if (publicKey->bits > MAX_RSA_MODULUS_BITS)
+     return (RE_LEN);
+
    modulusLen = (publicKey->bits + 7) / 8;
    if (inputLen > modulusLen)
      return (RE_LEN);
***************
*** 128,133 ****
--- 134,142 ----
    int status;
    unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
    unsigned int i, modulusLen;
+
+   if (privateKey->bits > MAX_RSA_MODULUS_BITS)
+     return (RE_LEN);

    modulusLen = (privateKey->bits + 7) / 8;
    if (inputLen + 11 > modulusLen)
***************
*** 168,173 ****
--- 177,185 ----
    unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
    unsigned int i, modulusLen, pkcsBlockLen;

+   if (privateKey->bits > MAX_RSA_MODULUS_BITS)
+     return (RE_LEN);
+
    modulusLen = (privateKey->bits + 7) / 8;
    if (inputLen > modulusLen)
      return (RE_LEN);


--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com



--- For a personal reply use gera@core-sdi.com

Next message: Erik Fichtner: "Re: sadmind exploits (remote sparc/x86)"
Previous message: Gregory A Lundberg: "Re: FTP denial of service attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:20:10 PDT