这是indexloc提供的服务,不要输入任何密码

Debian Bug report logs - #772008
libmpfr4: CVE-2014-9474: buffer overflow in mpfr_strtofr

version graph

Package: libmpfr4; Maintainer for libmpfr4 is (unknown);

Reported by: Vincent Lefevre <vincent@vinc17.net>

Date: Thu, 4 Dec 2014 10:45:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version mpfr4/3.1.2-1

Fixed in version mpfr4/3.1.2-2

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laurent Fousse <lfousse@debian.org>:
Bug#772008; Package libmpfr4. (Thu, 04 Dec 2014 10:45:06 GMT) (full text, mbox, link).

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laurent Fousse <lfousse@debian.org>. (Thu, 04 Dec 2014 10:45:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libmpfr4: buffer overflow in mpfr_strtofr
Date: Thu, 4 Dec 2014 11:40:49 +0100
Package: libmpfr4
Version: 3.1.2-1+b1
Severity: grave
Tags: security
Justification: user security hole

A buffer overflow may occur in mpfr_strtofr. This bug was actually
discovered a year ago, and was a consequence of incorrect GMP
documentation. For details, see the discussion:

  https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html

A short description of the bug and a patch (which just increases the
buffer size according to the new GMP documentation) is available at:

  http://www.mpfr.org/mpfr-3.1.2/#bugs

The effects of this bug may be those of a buffer overflow. I don't
know whether it can be exploitable to execute random code (I'd say
that this is unlikely, but I'm not sure). I just know that a crash
is possible (memory corruption detected by the glibc?) with the
32-bit ABI when alloca is disabled (alloca is not disabled by
default, but note that alloca is not used in large precisions).

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libmpfr4:amd64 depends on:
ii  libc6              2.19-13
ii  libgmp10           2:6.0.0+dfsg-6
ii  multiarch-support  2.19-13

libmpfr4:amd64 recommends no packages.

libmpfr4:amd64 suggests no packages.

-- no debconf information

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 04 Dec 2014 11:24:13 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Vincent Lefevre <vincent@vinc17.net> to control@bugs.debian.org. (Thu, 04 Dec 2014 11:48:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Laurent Fousse <lfousse@debian.org>:
Bug#772008; Package libmpfr4. (Mon, 08 Dec 2014 12:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vasyl Kaigorodov <vkaigoro@redhat.com>:
Extra info received and forwarded to list. Copy sent to Laurent Fousse <lfousse@debian.org>. (Mon, 08 Dec 2014 12:48:04 GMT) (full text, mbox, link).

Message #14 received at 772008@bugs.debian.org (full text, mbox, reply):

From: Vasyl Kaigorodov <vkaigoro@redhat.com>
To: oss-security@lists.openwall.com
Cc: 772008@bugs.debian.org
Subject: CVE request: mpfr: buffer overflow in mpfr_strtofr
Date: Mon, 8 Dec 2014 13:45:12 +0100
[Message part 1 (text/plain, inline)]
Hello,

A buffer overflow was reported [1] in mpfr.
This is due to incorrect GMP documentation for mpn_set_str about the
size of a buffer (discussion is at [1]; first fix in the GMP
documentation is at [2]). This bug is present in the MPFR versions
from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by
running "make check" in a 32-bit ABI under GNU/Linux with alloca
disabled (this is currently possible by using the --with-gmp-build
configure option where alloca has been disabled in the GMP build). It
is fixed by the strtofr patch [3].
Corresponding changeset in the 3.1 branch: 9110 [4].

[1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
[2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74
[3]: http://www.mpfr.org/mpfr-3.1.2/patch11
[4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110

References:
- https://bugzilla.redhat.com/show_bug.cgi?id=1171701
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772008

Can a CVE be assigned to this please?

Thanks.
-- 
Vasyl Kaigorodov | Red Hat Product Security
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Laurent Fousse <lfousse@debian.org>:
Bug#772008; Package libmpfr4. (Tue, 09 Dec 2014 16:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Laurent Fousse <lfousse@debian.org>. (Tue, 09 Dec 2014 16:09:04 GMT) (full text, mbox, link).

Message #19 received at 772008@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>
To: Vasyl Kaigorodov <vkaigoro@redhat.com>, 772008@bugs.debian.org
Cc: oss-security@lists.openwall.com
Subject: Re: Bug#772008: CVE request: mpfr: buffer overflow in mpfr_strtofr
Date: Tue, 9 Dec 2014 17:07:55 +0100
Hi,

On 2014-12-08 13:45:12 +0100, Vasyl Kaigorodov wrote:
> Hello,
> 
> A buffer overflow was reported [1] in mpfr.
> This is due to incorrect GMP documentation for mpn_set_str about the
> size of a buffer (discussion is at [1]; first fix in the GMP
> documentation is at [2]). This bug is present in the MPFR versions
> from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by
> running "make check" in a 32-bit ABI under GNU/Linux with alloca
> disabled (this is currently possible by using the --with-gmp-build
> configure option where alloca has been disabled in the GMP build). It
> is fixed by the strtofr patch [3].
> Corresponding changeset in the 3.1 branch: 9110 [4].
> 
> [1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
> [2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74
> [3]: http://www.mpfr.org/mpfr-3.1.2/patch11
> [4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110

The corresponding changeset is 9243, with URL:

  https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9243

Regards,

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Thu, 11 Dec 2014 12:21:05 GMT) (full text, mbox, link).

Notification sent to Vincent Lefevre <vincent@vinc17.net>:
Bug acknowledged by developer. (Thu, 11 Dec 2014 12:21:05 GMT) (full text, mbox, link).

Message #24 received at 772008-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>
To: 772008-close@bugs.debian.org
Subject: Bug#772008: fixed in mpfr4 3.1.2-2
Date: Thu, 11 Dec 2014 12:19:38 +0000
Source: mpfr4
Source-Version: 3.1.2-2

We believe that the bug you reported is fixed in the latest version of
mpfr4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated mpfr4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 11 Dec 2014 12:32:33 +0100
Source: mpfr4
Binary: libmpfr4 libmpfr4-dbg libmpfr-dev libmpfr-doc
Architecture: source all amd64
Version: 3.1.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
 libmpfr-dev - multiple precision floating-point computation developers tools
 libmpfr-doc - multiple precision floating-point computation documentation
 libmpfr4   - multiple precision floating-point computation
 libmpfr4-dbg - multiple precision floating-point computation (debug symbols)
Closes: 772008
Changes:
 mpfr4 (3.1.2-2) unstable; urgency=medium
 .
   * QA upload, properly orphan the package. See #771884.
   * Bump standards version to 3.9.6, fix lintian warnings.
   * Build using dpkg-buildflags.
   * Fix buffer overflow in mpfr_strtofr. Closes: #772008.
Checksums-Sha1:
 71dc1a9bd11b749cdee9ac9011dc3e4606a4dd8b 2116 mpfr4_3.1.2-2.dsc
 adf8f20893d5e64fc0fed442791f37b861de46ea 12804 mpfr4_3.1.2-2.debian.tar.xz
 37deb0380c542a0377825ed894733795c249aa03 916744 libmpfr-doc_3.1.2-2_all.deb
 3e942834201bcd61182095c8697a3bb1c864acfa 527336 libmpfr4_3.1.2-2_amd64.deb
 aa514888fefaa66cf1ed2fdaaaea4183417420c6 678050 libmpfr4-dbg_3.1.2-2_amd64.deb
 c2a244845905a06b771b34940c4e3a1990067f60 559204 libmpfr-dev_3.1.2-2_amd64.deb
Checksums-Sha256:
 fcbf025b0daf6dc95715ac226d4e4a8f86cda4b796115ad5b9d8271da6de9c7b 2116 mpfr4_3.1.2-2.dsc
 49efd1d2032c8576868b64419e3403869dd5a62e1974b341f836852f7f2fd097 12804 mpfr4_3.1.2-2.debian.tar.xz
 90d41c47192df55b3c9ee49f792214926412c88cf7f64f0660323beeca2b4e06 916744 libmpfr-doc_3.1.2-2_all.deb
 1b6ef16024e7850c4f2d47dbe06cba1143ac36d5584db515f63d5fbd873e3eb2 527336 libmpfr4_3.1.2-2_amd64.deb
 1430d9e4ff37a018587a2dc8a058682a8cd8baee8e2f55115df8f2bc70871ef8 678050 libmpfr4-dbg_3.1.2-2_amd64.deb
 76bf8471b28ed1e5f5fdbfb190c81c560fadc0227df4b823c10b8a81ea000ff2 559204 libmpfr-dev_3.1.2-2_amd64.deb
Files:
 8f2e5c932f8d1ae697471abe40a0624d 2116 math optional mpfr4_3.1.2-2.dsc
 d9855b0be103b4f662a301b1f0630353 12804 math optional mpfr4_3.1.2-2.debian.tar.xz
 ca0e9eb3649c38daffa9d94b8cea426b 916744 doc optional libmpfr-doc_3.1.2-2_all.deb
 c3cec2c064105c9c123013e416939a7a 527336 libs optional libmpfr4_3.1.2-2_amd64.deb
 e41f68a5d2cd208d13ac5c7fd792d4d7 678050 debug extra libmpfr4-dbg_3.1.2-2_amd64.deb
 9e56ce0cc40d7e9e9e03a2974a83543b 559204 libdevel optional libmpfr-dev_3.1.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUiYgAAAoJEL1+qmB3j6b1sJ8QALiUcO1eRR5qLg7Ud8g/Tnjf
M32I7iGuUhqw/UmUJ0SehH4RmNcTkp7KqARs0vb6EXcthzOWR7KhQZni1QXWIVTf
ykwFeSPw6zCIVUBF6dp2PvVeyrBSxNXE9dQdRZzci7uJAz4UKYoNIBtH7gGOgzW2
BoCD8+Htv9USNxxoNaHXLmmc06yUq8HTuuxkgESOoNdlPZ8G50SxFlyjHcgD+8w2
OqhokFLqaki4P0FSc9Gqu5CvbBcIYJSQPn+8AElORZn2GlT6FtMU1uNioRMJzG0x
ZQg6dTwpnT2gDaUuKBTqEaf4XqaPMhPczolcn22E3GUTxct2dCrL+d4xSx8UXmHl
LzOzDaygSW305GYzBUmJDE1V5if02/1sJYrrIPJqZ5qwK14YXnDle9vgzvzdgqz2
JLRIHVEx7uisCU6WvBUxV1R2kPCZYzw6CU4G4cMjnu3KENtjUtntaM+/G1w/4jFp
BhYrhSkNCXsN3h95MR/j2CSx7h7Bk+8rrQ8gQTBX6RvGbJQm9wY+uWmGdToWQSLB
C8ZQPxt5fA3/zENUNDhTObXbPQq8ElCiGivJw32DtBYMRweb43tbZXhsq2ne63HB
10bDW86Rk8kMJVx8B3+MzN3ysHXzUgxr6dOLUZNyrPxds4KYkLu9TP8bfcCsFYl6
k0eb7hOuWDd6m5yNemnA
=XvRq
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#772008; Package libmpfr4. (Tue, 30 Dec 2014 00:27:10 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Tue, 30 Dec 2014 00:27:10 GMT) (full text, mbox, link).

Message #29 received at 772008@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Vasyl Kaigorodov <vkaigoro@redhat.com>, cve-assign@mitre.org
Cc: oss-security@lists.openwall.com, 772008@bugs.debian.org
Subject: Re: CVE request: mpfr: buffer overflow in mpfr_strtofr
Date: Tue, 30 Dec 2014 01:23:40 +0100
On Mon, Dec 08, 2014 at 01:45:12PM +0100, Vasyl Kaigorodov wrote:
> Hello,
> 
> A buffer overflow was reported [1] in mpfr.
> This is due to incorrect GMP documentation for mpn_set_str about the
> size of a buffer (discussion is at [1]; first fix in the GMP
> documentation is at [2]). This bug is present in the MPFR versions
> from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by
> running "make check" in a 32-bit ABI under GNU/Linux with alloca
> disabled (this is currently possible by using the --with-gmp-build
> configure option where alloca has been disabled in the GMP build). It
> is fixed by the strtofr patch [3].
> Corresponding changeset in the 3.1 branch: 9110 [4].
> 
> [1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
> [2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74
> [3]: http://www.mpfr.org/mpfr-3.1.2/patch11
> [4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110
> 
> References:
> - https://bugzilla.redhat.com/show_bug.cgi?id=1171701
> - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772008
> 
> Can a CVE be assigned to this please?

This seems to have fallen through the cracks, adding cve-assign@mitre.org
to CC.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#772008; Package libmpfr4. (Sat, 03 Jan 2015 22:39:18 GMT) (full text, mbox, link).

Acknowledgement sent to cve-assign@mitre.org:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Sat, 03 Jan 2015 22:39:18 GMT) (full text, mbox, link).

Message #34 received at 772008@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: Vasyl Kaigorodov <vkaigoro@redhat.com>, cve-assign@mitre.org, oss-security@lists.openwall.com, 772008@bugs.debian.org
Subject: Re: CVE request: mpfr: buffer overflow in mpfr_strtofr
Date: Sat, 3 Jan 2015 17:30:44 -0500 (EST)
On Tue, 30 Dec 2014, Moritz Muehlenhoff wrote:

> On Mon, Dec 08, 2014 at 01:45:12PM +0100, Vasyl Kaigorodov wrote:
>> Hello,
>>
>> A buffer overflow was reported [1] in mpfr.
>> This is due to incorrect GMP documentation for mpn_set_str about the
>> size of a buffer (discussion is at [1]; first fix in the GMP
>> documentation is at [2]). This bug is present in the MPFR versions
>> from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by
>> running "make check" in a 32-bit ABI under GNU/Linux with alloca
>> disabled (this is currently possible by using the --with-gmp-build
>> configure option where alloca has been disabled in the GMP build). It
>> is fixed by the strtofr patch [3].
>> Corresponding changeset in the 3.1 branch: 9110 [4].
>>
>> [1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
>> [2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74
>> [3]: http://www.mpfr.org/mpfr-3.1.2/patch11
>> [4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110
>>
>> References:
>> - https://bugzilla.redhat.com/show_bug.cgi?id=1171701
>> - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772008
>>
>> Can a CVE be assigned to this please?

Use CVE-2014-9474.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Changed Bug title to 'libmpfr4: CVE-2014-9474: buffer overflow in mpfr_strtofr' from 'libmpfr4: buffer overflow in mpfr_strtofr' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 04 Jan 2015 04:27:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 01 Feb 2015 07:26:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jul 28 13:34:42 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.