oss-sec mailing list archives
Re: Bug#772008: CVE request: mpfr: buffer overflow in mpfr_strtofr
From: Vincent Lefevre <vincent () vinc17 net>
Date: Tue, 9 Dec 2014 17:07:55 +0100
Hi, On 2014-12-08 13:45:12 +0100, Vasyl Kaigorodov wrote:
Hello, A buffer overflow was reported [1] in mpfr. This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (discussion is at [1]; first fix in the GMP documentation is at [2]). This bug is present in the MPFR versions from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by running "make check" in a 32-bit ABI under GNU/Linux with alloca disabled (this is currently possible by using the --with-gmp-build configure option where alloca has been disabled in the GMP build). It is fixed by the strtofr patch [3]. Corresponding changeset in the 3.1 branch: 9110 [4]. [1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html [2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74 [3]: http://www.mpfr.org/mpfr-3.1.2/patch11 [4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110
The corresponding changeset is 9243, with URL: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9243 Regards, -- Vincent Lefèvre <vincent () vinc17 net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Current thread:
- CVE request: mpfr: buffer overflow in mpfr_strtofr Vasyl Kaigorodov (Dec 08)
- Re: Bug#772008: CVE request: mpfr: buffer overflow in mpfr_strtofr Vincent Lefevre (Dec 09)
- Re: CVE request: mpfr: buffer overflow in mpfr_strtofr Moritz Muehlenhoff (Dec 29)