Package: libgmp10 Version: 2:6.2.1+dfsg-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <[email protected]>
mpz_inp_raw segfaults (SEGV_MAPERR) on large sizes. I suspect that this is due to an integer overflow in mpz/inp_raw.c: abs_xsize = BITS_TO_LIMBS (abs_csize*8); See discussion https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html and my comment https://gmplib.org/list-archives/gmp-bugs/2021-September/005086.html I have not checked, but abs_xsize would be smaller than expected, thus xp = MPZ_NEWALLOC (x, abs_xsize); would allocate less than expected, thus I suppose that cp = (char *) (xp + abs_xsize) - abs_csize; points to a location that is *before* the buffer. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-8-amd64 (SMP w/12 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libgmp10:i386 depends on: ii libc6 2.32-2 libgmp10:i386 recommends no packages. libgmp10:i386 suggests no packages. -- no debconf information -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- debian-science-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
