DescriptionStack-based buffer overflow in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long file name. NOTE: it is not clear whether this is a vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs690924

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mcrypt (PTS)jessie, stretch2.6.8-1.3fixed
bullseye, sid, buster2.6.8-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


patch proposed by submitter at RH bugzilla is incorrect
Only occurs in cmdline parsing, no priv escalation. Only a security issue in constructed setups

Search for package or bug name: Reporting problems