Fwd: Crypto++ and invalid read in decompressor class

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: Crypto++ and invalid read in decompressor class

Jeffrey Walton-3
FYI...

---------- Forwarded message ----------
From: Jeffrey Walton <[hidden email]>
Date: Mon, Jun 5, 2017 at 9:32 PM
Subject: Crypto++ and invalid read in decompressor class
To: [hidden email]

Hi Everyone,

Crypto++'s (https://www.cryptopp.com/) is a free and open source
library of cryptographic schemes originally written by Wei Dai. Smart
fuzzing revealed Crypto++'s Zinflate class, used by classes like
Gunzip and Inflator, could perform an out-of-bounds read when
decompressing data.

The out-of-bounds read occurs on a table with 30 elements. The table
is static and its storage is allocated in initialized memory. The
attacker can craft a ZIP file that allows a read of the last two
non-existent elements. We believe an attacker can only read 0-bytes
due to the storage allocation. We were not able to escalate it to a
write. We believe its a low risk finding.

We were not able to induce failures in other classes using the
techniques. Other classes include those that are related, like
compressors; and those which are unrelated, like public and private
keys.

The issue is being tracked by the library at
https://github.com/weidai11/cryptopp/issues/414. The Gentoo folks
assigned CVE-2017-9434 to track the issue.

The fix is available in Master. It is also available for several
versions of the library at
https://github.com/weidai11/cryptopp/issues/414#issuecomment-300671740

Jeff

--
--
You received this message because you are subscribed to the "Crypto++ Users" Google Group.
To unsubscribe, send an email to [hidden email].
More information about Crypto++ and this group is available at http://www.cryptopp.com.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Loading...