Processed: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

2021-09-16 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 important
Bug #994405 [libgmp10] libgmp10:i386: buffer overflow due to integer overflow 
in mpz/inp_raw.c on 32-bit machines
Severity set to 'important' from 'grave'
> notfound -1 2:6.2.1+dfsg-2
Bug #994405 [libgmp10] libgmp10:i386: buffer overflow due to integer overflow 
in mpz/inp_raw.c on 32-bit machines
No longer marked as found in versions gmp/2:6.2.1+dfsg-2.
> found -1 2:6.2.1+dfsg-1
Bug #994405 [libgmp10] libgmp10:i386: buffer overflow due to integer overflow 
in mpz/inp_raw.c on 32-bit machines
Marked as found in versions gmp/2:6.2.1+dfsg-1.

-- 
994405: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994405
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

2021-09-16 Thread Anton Gladky 
Control: severity -1 important
Control: notfound -1 2:6.2.1+dfsg-2
Control: found -1 2:6.2.1+dfsg-1

Thanks for the bug report. We will fix it when CVE (if any) will be
assigned and upstream patch will be available.

Though, the integer overflows are not making the package unusable in most
cases.
Thus the severity is reduced.

Regards

Anton

Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

2021-09-15 Thread Vincent Lefevre 
Package: libgmp10
Version: 2:6.2.1+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team 

mpz_inp_raw segfaults (SEGV_MAPERR) on large sizes. I suspect that
this is due to an integer overflow in mpz/inp_raw.c:

  abs_xsize = BITS_TO_LIMBS (abs_csize*8);

See discussion
  https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html

and my comment
  https://gmplib.org/list-archives/gmp-bugs/2021-September/005086.html

I have not checked, but abs_xsize would be smaller than expected,
thus

  xp = MPZ_NEWALLOC (x, abs_xsize);

would allocate less than expected, thus I suppose that

  cp = (char *) (xp + abs_xsize) - abs_csize;

points to a location that is *before* the buffer.

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-security'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libgmp10:i386 depends on:
ii  libc6  2.32-2

libgmp10:i386 recommends no packages.

libgmp10:i386 suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)