CVE-2008-1552

critical

Description

The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC Client before 1.1.4, and SILC Server before 1.1.2 allows remote attackers to execute arbitrary code via a crafted PKCS#1 message, which triggers an integer underflow, signedness error, and a buffer overflow. NOTE: the researcher describes this as an integer overflow, but CVE uses the "underflow" term in cases of wraparound from unsigned subtraction.

References

https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00538.html

https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00513.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/41474

http://www.vupen.com/english/advisories/2008/0974/references

http://www.securitytracker.com/id?1019690

http://www.securityfocus.com/bid/28373

http://www.securityfocus.com/archive/1/490069/100/0/threaded

http://www.mandriva.com/security/advisories?name=MDVSA-2008:158

http://www.coresecurity.com/?action=item&id=2206

http://silcnet.org/general/news/?item=toolkit_20080320_1

http://silcnet.org/general/news/?item=server_20080320_1

http://silcnet.org/general/news/?item=client_20080320_1

http://securityreason.com/securityalert/3795

http://security.gentoo.org/glsa/glsa-200804-27.xml

http://secunia.com/advisories/29946

http://secunia.com/advisories/29622

http://secunia.com/advisories/29465

http://secunia.com/advisories/29463

http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html

Details

Source: Mitre, NVD

Published: 2008-03-31

Updated: 2018-10-11

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical