Re: over 2000 packages depend on abort()ing libgmp

[Matthew Fernandez <matthew.fernandez () gmail com>]

On 9/14/22 04:44, Georgi Guninski wrote:
> ping world
>
> libgmp is library about big numbers.
>
> it is not a library for very big numbers, because
> if libgmp meets a very big number, it calls abort()
> and coredumps.
>
> 2442 packages depend on libgmp on ubuntu20.
>
> guest3@ubuntu20:~/prim$ apt-cache rdepends libgmp10 | wc -l
> 2442
>
> gawk crash:
>
> guest3@ubuntu20:~/prim$ gawk --bignum 'BEGIN { a = 2 ^ 2 ^41; print "a =", a }'
> gmp: overflow in mpz type
> Aborted (core dumped)
>
> guest3@ubuntu20:~/prim$ gawk 'BEGIN { a = 2 ^ 2 ^41; print "a =", a }'
> a = +inf

What is the security boundary being violated here? As a maintainer of 
some of the packages implicated here, I’m unsure what my actionable 
tasks are. The threat model(s) for my packages does not consider crashes 
to be a security violation. On the other side, things like crypto code 
frequently use their own non-GMP implementation of bignum arith for this 
(and other) reason.

Not trying to brush this off. But I’m just trying to gain an 
understanding of what the expected remediation is here.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/