CVE-2008-1552

EUVD-2008-1553
The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC Client before 1.1.4, and SILC Server before 1.1.2 allows remote attackers to execute arbitrary code via a crafted PKCS#1 message, which triggers an integer underflow, signedness error, and a buffer overflow.  NOTE: the researcher describes this as an integer overflow, but CVE uses the "underflow" term in cases of wraparound from unsigned subtraction.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
silcsilc_client
𝑥
≤ 1.1.3
silcsilc_server
𝑥
≤ 1.1.2
silcsilc_toolkit
𝑥
≤ 1.1.6
silcsilc
*
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
silc-client
dapper
dne
edgy
dne
feisty
dne
gutsy
ignored
hardy
ignored
intrepid
not-affected
jaunty
not-affected
karmic
not-affected
lucid
not-affected
maverick
not-affected
natty
not-affected
oneiric
not-affected
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html
http://secunia.com/advisories/29463
http://secunia.com/advisories/29465
http://secunia.com/advisories/29622
http://secunia.com/advisories/29946
http://security.gentoo.org/glsa/glsa-200804-27.xml
http://securityreason.com/securityalert/3795
http://silcnet.org/general/news/?item=client_20080320_1
http://silcnet.org/general/news/?item=server_20080320_1
http://silcnet.org/general/news/?item=toolkit_20080320_1
http://www.coresecurity.com/?action=item&id=2206
http://www.mandriva.com/security/advisories?name=MDVSA-2008:158
http://www.securityfocus.com/archive/1/490069/100/0/threaded
http://www.securityfocus.com/bid/28373
http://www.securitytracker.com/id?1019690
http://www.vupen.com/english/advisories/2008/0974/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41474
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00513.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00538.html
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html
http://secunia.com/advisories/29463
http://secunia.com/advisories/29465
http://secunia.com/advisories/29622
http://secunia.com/advisories/29946
http://security.gentoo.org/glsa/glsa-200804-27.xml
http://securityreason.com/securityalert/3795
http://silcnet.org/general/news/?item=client_20080320_1
http://silcnet.org/general/news/?item=server_20080320_1
http://silcnet.org/general/news/?item=toolkit_20080320_1
http://www.coresecurity.com/?action=item&id=2206
http://www.mandriva.com/security/advisories?name=MDVSA-2008:158
http://www.securityfocus.com/archive/1/490069/100/0/threaded
http://www.securityfocus.com/bid/28373
http://www.securitytracker.com/id?1019690
http://www.vupen.com/english/advisories/2008/0974/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41474
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00513.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00538.html