Geeks for your information News Privacy & Security News v
Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code
Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code
silversurfer Offline
Staff Member
******
Posts: 3,885
Threads: 3,283
Thanks Received: 5,064 in 3,838 posts
Thanks Given: 6,200
Joined: 12 September 18
#1
Information  02 February 21, 08:16
Quote:The Libgcrypt project has rushed out a fix for a critical bug in version 1.9.0 of the free-source cryptographic library. An exploit would allow an attacker to write arbitrary data to a target machine and execute code.
 
The security vulnerability is a heap-buffer overflow bug in Libgcrypt 1.9.0 (released on January 19 – previous versions are not affected), which researchers said can be exploited by merely decrypting a block of data. The issue is patched (CVE pending) in Libgcrypt version 1.9.1.
 
Libgcrypt is a general-purpose cryptographic library for developers to use when building applications, originally based on code from GNU Privacy Guard (GnuPG in turn is a free-software replacement for Symantec’s PGP cryptographic software suite). Libgcrypt is POSIX-compatible, meaning it can be used across Linus, Unix and macOSX applications, and can be enabled using a cross-compiler system for Microsoft Windows.
 
The bug is “simple to exploit,” according to Google Project Zero researcher Tavis Ormandy, who discovered and reported the issue.
 
“There is a heap-buffer overflow in Libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker-controlled data, no verification or signature is validated before the vulnerability occurs,” Ormandy explained in his report, published as part of Libgcrypt’s advisory on Friday.
 
Though the flawed version is no longer available for download, it’s unclear how many developers downloaded it for use in building their applications before it was taken down. Developers should replace the buggy library with the newest version, Libgcrypt authors noted.
 
Cryptographer Filippo Valsorda noted that Homebrew was affected by the flawed library. Homebrew is an open-source software package management system that simplifies the installation of software on Apple’s macOS operating system and Linux. Homebrew’s managers acknowledged the bug and fixed the issue.

Read more: https://threatpost.com/critical-libgcryp...de/163546/
[-] The following 2 users say Thank You to silversurfer for this post:
  • harlan4096, Mohammad.Poorya
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
WhatsApp Web Finally Gets Built-In Voice...
For a long time, W...harlan4096 — 08:46
AnyDesk 9.6.10 for Windows
AnyDesk 9.6.10 for...harlan4096 — 08:27
Google Chrome 145.0.7632.45/46
Google Chrome 145....harlan4096 — 08:26
UltraSearch 4.9
Version 4.9 New...harlan4096 — 08:25
PowerToys v0.97.2
Release v0.97.2 ...harlan4096 — 08:23

[-]
Birthdays
Today's Birthdays
avatar (50)listfquoto
avatar (46)dima6sarPrave
Upcoming Birthdays
avatar (38)showercurtains
avatar (49)PeterWhink
avatar (50)neuthrusBub
avatar (30)script6027529171
avatar (46)myhotseeve
avatar (46)Edwinmub
avatar (46)dimaWeami
avatar (39)TranoTymn
avatar (39)MezirLal
avatar (38)Michaelaburi
avatar (46)dpascoal
avatar (51)Ronaldduh
avatar (39)legalgauch
avatar (44)Baihu
avatar (27)RaseinsLikes

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>