Thanks, Vincent, for the information. I would still wait for CVE, so we can apply a patch and track vulnerability for other Debian versions (stable/oldstable/o-o-stable etc.).
Regards Anton Am Fr., 17. Sept. 2021 um 01:17 Uhr schrieb Vincent Lefevre < vinc...@vinc17.net>: > On 2021-09-16 21:23:34 +0200, Anton Gladky wrote: > > Thanks for the bug report. We will fix it when CVE (if any) will be > > assigned and upstream patch will be available. > > FYI, an upstream patch is now available here: > > https://gmplib.org/list-archives/gmp-bugs/2021-September/005087.html > > > Though, the integer overflows are not making the package unusable in > > most cases. > > Yes, but they may introduce security issues, in particular here > because the behavior depends on data from a file, which may be > untrusted. That said, here it is probably wise to check that the > size is not too large in order to prevent the address space from > being exhausted. >
