View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006195 | Taler | exchange | public | 2020-04-21 15:22 | 2021-09-02 18:14 |
Reporter | fefe | Assigned To | Christian Grothoff | ||
Priority | normal | Severity | major | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | 0.7.0 | ||||
Target Version | 0.7.1 | Fixed in Version | 0.7.1 | ||
Summary | 0006195: integer overflow in deserialize_denomination_key | ||||
Description | In exchange/src/lib/exchange_api_refresh_common.c: 269 memcpy (&be, 270 buf, 271 sizeof (uint32_t)); 272 pbuf_size = ntohl (be); 273 if (size < sizeof (uint32_t) + pbuf_size) Not sure if you support 32-bit platforms, but on 32-bit the addition in line 273 can cause arithmetic overflow, leading to the range check not triggering and a potential out of bounds memory read (maybe even convertible into a Heartbleed situation): 279 dk->rsa_public_key 280 = GNUNET_CRYPTO_rsa_public_key_decode (&buf[sizeof (uint32_t)], 281 pbuf_size); | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2020-04-21 15:22 | fefe | New Issue | |
2020-04-21 15:22 | fefe | Status | new => assigned |
2020-04-21 15:22 | fefe | Assigned To | => Christian Grothoff |
2020-04-21 15:30 | Christian Grothoff | Status | assigned => resolved |
2020-04-21 15:30 | Christian Grothoff | Resolution | open => fixed |
2020-04-21 15:30 | Christian Grothoff | Fixed in Version | => 0.7.1 |
2020-04-21 15:30 | Christian Grothoff | Note Added: 0015727 | |
2020-04-21 15:30 | Christian Grothoff | Target Version | => 0.7.1 |
2021-08-24 16:23 | Christian Grothoff | Status | resolved => closed |
2021-09-02 18:13 | Christian Grothoff | Changeset attached | => Taler-exchange master 09294481 |
2021-09-02 18:14 | Christian Grothoff | Note Added: 0018259 |