[Secure-testing-team] Bug#772008: libmpfr4: buffer overflow in mpfr_strtofr
Vincent Lefevre
vincent at vinc17.net
Thu Dec 4 10:40:49 UTC 2014
Package: libmpfr4
Version: 3.1.2-1+b1
Severity: grave
Tags: security
Justification: user security hole
A buffer overflow may occur in mpfr_strtofr. This bug was actually
discovered a year ago, and was a consequence of incorrect GMP
documentation. For details, see the discussion:
https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
A short description of the bug and a patch (which just increases the
buffer size according to the new GMP documentation) is available at:
http://www.mpfr.org/mpfr-3.1.2/#bugs
The effects of this bug may be those of a buffer overflow. I don't
know whether it can be exploitable to execute random code (I'd say
that this is unlikely, but I'm not sure). I just know that a crash
is possible (memory corruption detected by the glibc?) with the
32-bit ABI when alloca is disabled (alloca is not disabled by
default, but note that alloca is not used in large precisions).
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libmpfr4:amd64 depends on:
ii libc6 2.19-13
ii libgmp10 2:6.0.0+dfsg-6
ii multiarch-support 2.19-13
libmpfr4:amd64 recommends no packages.
libmpfr4:amd64 suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list