-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200301-4 - - -------------------------------------------------------------------- PACKAGE : libmcrypt SUMMARY : buffer overflows and memory exhaustion DATE : 2003-01-05 12:01 UTC EXPLOIT : remote - - -------------------------------------------------------------------- Post by Ilia Alshanetsky <iliaat_private>: "limbcrypt versions prior to 2.5.5 contain a number of buffer overflow vulnerabilities that stem from imporper or lacking input validation. By passing a longer then expected input to a number of functions (multiple functions are affected) the user can successful make libmcrypt crash. Another vulnerability is due to the way libmcrypt loads algorithms via libtool. When the algorithms are loaded dynamically the each time the algorithm is loaded a small (few kilobytes) of memory are leaked. In a persistant enviroment (web server) this could lead to a memory exhaustion attack that will exhaust all avaliable memory by launching repeated requests at an application utilizing the mcrypt library. The solution to both of these problem is to upgrade to the latest release of libmcrypt, 2.5.5." SOLUTION It is recommended that all Gentoo Linux users who are running dev-libs/libmcrypt-2.5.1-r4 or earlier update their systems as follows: emerge rsync emerge libmcrypt emerge clean - - -------------------------------------------------------------------- alizat_private - GnuPG key is available at www.gentoo.org/~aliz - - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+GCDqfT7nyhUpoZMRAgLTAJ9wkfPJg1Z4f0d5krJpObWVGtPwJgCfYQ7o a7jfaOOalcN+xeBczQjxAds= =vxQ0 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 19:55:24 PST