Geeks for your information News Privacy & Security News v
Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code
Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code
silversurfer Offline
Staff Member
******
Posts: 3,885
Threads: 3,283
Thanks Received: 5,064 in 3,838 posts
Thanks Given: 6,200
Joined: 12 September 18
#1
Information  02 February 21, 08:16
Quote:The Libgcrypt project has rushed out a fix for a critical bug in version 1.9.0 of the free-source cryptographic library. An exploit would allow an attacker to write arbitrary data to a target machine and execute code.
 
The security vulnerability is a heap-buffer overflow bug in Libgcrypt 1.9.0 (released on January 19 – previous versions are not affected), which researchers said can be exploited by merely decrypting a block of data. The issue is patched (CVE pending) in Libgcrypt version 1.9.1.
 
Libgcrypt is a general-purpose cryptographic library for developers to use when building applications, originally based on code from GNU Privacy Guard (GnuPG in turn is a free-software replacement for Symantec’s PGP cryptographic software suite). Libgcrypt is POSIX-compatible, meaning it can be used across Linus, Unix and macOSX applications, and can be enabled using a cross-compiler system for Microsoft Windows.
 
The bug is “simple to exploit,” according to Google Project Zero researcher Tavis Ormandy, who discovered and reported the issue.
 
“There is a heap-buffer overflow in Libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker-controlled data, no verification or signature is validated before the vulnerability occurs,” Ormandy explained in his report, published as part of Libgcrypt’s advisory on Friday.
 
Though the flawed version is no longer available for download, it’s unclear how many developers downloaded it for use in building their applications before it was taken down. Developers should replace the buggy library with the newest version, Libgcrypt authors noted.
 
Cryptographer Filippo Valsorda noted that Homebrew was affected by the flawed library. Homebrew is an open-source software package management system that simplifies the installation of software on Apple’s macOS operating system and Linux. Homebrew’s managers acknowledged the bug and fixed the issue.

Read more: https://threatpost.com/critical-libgcryp...de/163546/
[-] The following 2 users say Thank You to silversurfer for this post:
  • harlan4096, Mohammad.Poorya
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Privazer 4.0.120.2
Privazer 4.0.120.2...harlan4096 — 07:30
Brave 1.88.138 (Chromium 146.0.7680.178)
Release v1.88.138 ...harlan4096 — 07:28
Opera 129.0.5823.44
Hello! New Oper...harlan4096 — 07:27
Microsoft Edge 146.0.3856.97
Version 146.0.3856...harlan4096 — 07:26
AnyDesk 8.0.2 for Linux
Version 8.0.2 for ...harlan4096 — 07:25

[-]
Birthdays
Today's Birthdays
avatar (48)cticigges
avatar (50)ecoFit
avatar (44)soccejeS
Upcoming Birthdays
avatar (45)wapedDow
avatar (49)oapedDow
avatar (42)Sanchowogy
avatar (46)MeighGoask
avatar (47)creatralGuelm
avatar (38)procnipsut
avatar (44)accenwibly
avatar (41)ahyvily
avatar (38)urumahiz
avatar (44)techlignub
avatar (43)Stevenmam
avatar (50)onlinbah
avatar (50)fuspeukChark
avatar (44)werriewWaiNg
avatar (38)Freemanleo
avatar (43)cdoubapKit
avatar (38)lystraPonia
avatar (31)smith8395john
avatar (51)steakelask
avatar (45)Termoplenka
avatar (43)bycoPaist
avatar (49)pieloKat
avatar (43)ilyagNeexy
avatar (51)donitascene
avatar (51)burntLaw
avatar (41)MrDoorsskibheeds
avatar (51)Toligo
avatar (46)Rodneykak
avatar (49)tradeSmode
avatar (39)vemedProkbior
avatar (38)RobertUtelt
avatar (46)JamesZic
avatar (43)Sanfordbup
avatar (38)Der.Reisende
avatar (36)Kiran78

[-]
Online Staff
There are no staff members currently online.

>