Your message dated Mon, 15 Nov 2021 22:03:44 +0000
with message-id <[email protected]>
and subject line Bug#994405: fixed in gmp 2:6.2.1+dfsg-3
has caused the Debian Bug report #994405,
regarding libgmp10:i386: buffer overflow due to integer overflow in
mpz/inp_raw.c on 32-bit machines (CVE-2021-43618)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994405: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994405
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgmp10
Version: 2:6.2.1+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <[email protected]>
mpz_inp_raw segfaults (SEGV_MAPERR) on large sizes. I suspect that
this is due to an integer overflow in mpz/inp_raw.c:
abs_xsize = BITS_TO_LIMBS (abs_csize*8);
See discussion
https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html
and my comment
https://gmplib.org/list-archives/gmp-bugs/2021-September/005086.html
I have not checked, but abs_xsize would be smaller than expected,
thus
xp = MPZ_NEWALLOC (x, abs_xsize);
would allocate less than expected, thus I suppose that
cp = (char *) (xp + abs_xsize) - abs_csize;
points to a location that is *before* the buffer.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-security'), (500,
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libgmp10:i386 depends on:
ii libc6 2.32-2
libgmp10:i386 recommends no packages.
libgmp10:i386 suggests no packages.
-- no debconf information
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--- End Message ---
--- Begin Message ---
Source: gmp
Source-Version: 2:6.2.1+dfsg-3
Done: Anton Gladky <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anton Gladky <[email protected]> (supplier of updated gmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Nov 2021 22:28:20 +0100
Source: gmp
Architecture: source
Version: 2:6.2.1+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Team
<[email protected]>
Changed-By: Anton Gladky <[email protected]>
Closes: 994405
Changes:
gmp (2:6.2.1+dfsg-3) unstable; urgency=medium
.
* [2da3c94] Avoid bit size overflows. CVE-2021-43618. (Closes: #994405)
* [0f172aa] Trim trailing whitespace.
* [116e367] Update watch file format version to 4.
* [a1c3867] Use secure URI in Homepage field.
* [7f358d8] Set debhelper-compat version in Build-Depends.
* [42336e5] Remove Section on libgmp10,
Section on libgmpxx4ldbl,
Priority on libgmp-dev,
Priority on libgmp10-doc,
Priority on libgmp3-dev that duplicate source.
Checksums-Sha1:
98569db59bc6a8627784efabe19a1c00373ddea4 2223 gmp_6.2.1+dfsg-3.dsc
382bfdef312d12b31b4c42a0c015a498d0ae7dab 18356 gmp_6.2.1+dfsg-3.debian.tar.xz
bb5e7217a6054c99ec08ed727596c42736a7d417 6188 gmp_6.2.1+dfsg-3_source.buildinfo
Checksums-Sha256:
b91dae1d6298e5ff75dee503c7f8128e822000e343e0a5b5d5146cc1713334bb 2223
gmp_6.2.1+dfsg-3.dsc
32d75d4e7a383a5cea701aff4a4bf609933c4d15d1f5e3b6168eed51857bc8f0 18356
gmp_6.2.1+dfsg-3.debian.tar.xz
8de6d725cbe43945d5b432164052a6c7ee8fe691132af1f833cc5d330ea717f2 6188
gmp_6.2.1+dfsg-3_source.buildinfo
Files:
18245ac2b08fb3bdff39dfcf01f828c2 2223 libs optional gmp_6.2.1+dfsg-3.dsc
2bcd8fe2eb8c34a2d5b195409313d96b 18356 libs optional
gmp_6.2.1+dfsg-3.debian.tar.xz
959b271adb952a0a863a0b9dabfb44e9 6188 libs optional
gmp_6.2.1+dfsg-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGS1VgACgkQ0+Fzg8+n
/wYgvA//Zi488lOcWGe65e03hqF4yvDRBrUFuFI75OLw8xlvriFEjV21NckJN2dD
/pWp48YnuxEL4HNjKKniQKzZOtkz5LSxkqxQiWmdits/t4/8ZiBe4b3eaSH/xrPd
dEsK3nadzNic7lWSgjGf6czoPOAaSuPFvjI+Pzv5MnIUD6aIvO3JafOoNbrXvDMq
kNXePl3jwDxm3XdbNbTcBAThoa759GroAceCo+kdx5Sv0Ze8Z/c0LQeyV3lcoK12
o0gUwVo4fjtGob/U7skSmQF+GfrvEi6no0TK1Q0VYwpiPvIdKxEpsO75ohHq8DfO
AhKw4oTmGJeF0ZSEm45R3lF39K8d2/oc7E2p9cEeswRXq2K5CRKAvtHWaT5Ojpns
6+z2iziX8EzO7M7JB4jxgG7HedatuAsVsMx4ZVjWb6KIsVvLG++UBesz9n303vbQ
/FNHHtgLy/jUh4Vxnuk16LCd/c2YQVeu7qvItVpDCB91XFYKX8+74udmUT8YBlro
57EWwTP9tmvt5ZoP48hUmX799NdwQuu4RuDip1skrskieSjlivW/DhTx3eggst67
BFGfgXMJchsqdFeZKoZEaN3I4h4KZ8rHW6LPP8Pm1KdVNecvV6sGjpxA6mYkRq77
NAe6ukhvNXzpRQbj7tiazYN9mA1eN23hJex7kl6S84Qt6Qwde9M=
=VQfb
-----END PGP SIGNATURE-----
--- End Message ---
--
debian-science-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
