CVE-2008-1552

The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC Client before 1.1.4, and SILC Server before 1.1.2 allows remote attackers to execute arbitrary code via a crafted PKCS#1 message, which triggers an integer underflow, signedness error, and a buffer overflow.  NOTE: the researcher describes this as an integer overflow, but CVE uses the "underflow" term in cases of wraparound from unsigned subtraction.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
silcsilc_client
𝑥
≤ 1.1.3
silcsilc_server
𝑥
≤ 1.1.2
silcsilc_toolkit
𝑥
≤ 1.1.6
silcsilc
*
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
silc-client
oneiric
not-affected
natty
not-affected
maverick
not-affected
lucid
not-affected
karmic
not-affected
jaunty
not-affected
intrepid
not-affected
hardy
ignored
gutsy
ignored
feisty
dne
edgy
dne
dapper
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html
http://secunia.com/advisories/29463
http://secunia.com/advisories/29465
http://secunia.com/advisories/29622
http://secunia.com/advisories/29946
http://security.gentoo.org/glsa/glsa-200804-27.xml
http://securityreason.com/securityalert/3795
http://silcnet.org/general/news/?item=client_20080320_1
http://silcnet.org/general/news/?item=server_20080320_1
http://silcnet.org/general/news/?item=toolkit_20080320_1
http://www.coresecurity.com/?action=item&id=2206
http://www.mandriva.com/security/advisories?name=MDVSA-2008:158
http://www.securityfocus.com/archive/1/490069/100/0/threaded
http://www.securityfocus.com/bid/28373
http://www.securitytracker.com/id?1019690
http://www.vupen.com/english/advisories/2008/0974/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41474
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00513.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00538.html
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00005.html
http://secunia.com/advisories/29463
http://secunia.com/advisories/29465
http://secunia.com/advisories/29622
http://secunia.com/advisories/29946
http://security.gentoo.org/glsa/glsa-200804-27.xml
http://securityreason.com/securityalert/3795
http://silcnet.org/general/news/?item=client_20080320_1
http://silcnet.org/general/news/?item=server_20080320_1
http://silcnet.org/general/news/?item=toolkit_20080320_1
http://www.coresecurity.com/?action=item&id=2206
http://www.mandriva.com/security/advisories?name=MDVSA-2008:158
http://www.securityfocus.com/archive/1/490069/100/0/threaded
http://www.securityfocus.com/bid/28373
http://www.securitytracker.com/id?1019690
http://www.vupen.com/english/advisories/2008/0974/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41474
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00513.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00538.html