Debian Bug report logs -
#994405
libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines (CVE-2021-43618)
Reported by: Vincent Lefevre <vincent@vinc17.net>
Date: Wed, 15 Sep 2021 15:51:01 UTC
Severity: important
Tags: security, upstream
Found in version gmp/2:6.2.1+dfsg-1
Fixed in version gmp/2:6.2.1+dfsg-3
Done: Anton Gladky <gladk@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Wed, 15 Sep 2021 15:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Wed, 15 Sep 2021 15:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libgmp10
Version: 2:6.2.1+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
mpz_inp_raw segfaults (SEGV_MAPERR) on large sizes. I suspect that
this is due to an integer overflow in mpz/inp_raw.c:
abs_xsize = BITS_TO_LIMBS (abs_csize*8);
See discussion
https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html
and my comment
https://gmplib.org/list-archives/gmp-bugs/2021-September/005086.html
I have not checked, but abs_xsize would be smaller than expected,
thus
xp = MPZ_NEWALLOC (x, abs_xsize);
would allocate less than expected, thus I suppose that
cp = (char *) (xp + abs_xsize) - abs_csize;
points to a location that is *before* the buffer.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libgmp10:i386 depends on:
ii libc6 2.32-2
libgmp10:i386 recommends no packages.
libgmp10:i386 suggests no packages.
-- no debconf information
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Thu, 16 Sep 2021 19:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Thu, 16 Sep 2021 19:27:03 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: severity -1 important
Control: notfound -1 2:6.2.1+dfsg-2
Control: found -1 2:6.2.1+dfsg-1
Thanks for the bug report. We will fix it when CVE (if any) will be
assigned and upstream patch will be available.
Though, the integer overflows are not making the package unusable in most
cases.
Thus the severity is reduced.
Regards
Anton
[Message part 2 (text/html, inline)]
Severity set to 'important' from 'grave'
Request was from Anton Gladky <gladk@debian.org>
to submit@bugs.debian.org
.
(Thu, 16 Sep 2021 19:27:03 GMT) (full text, mbox, link).
No longer marked as found in versions gmp/2:6.2.1+dfsg-2.
Request was from Anton Gladky <gladk@debian.org>
to submit@bugs.debian.org
.
(Thu, 16 Sep 2021 19:27:03 GMT) (full text, mbox, link).
Marked as found in versions gmp/2:6.2.1+dfsg-1.
Request was from Anton Gladky <gladk@debian.org>
to submit@bugs.debian.org
.
(Thu, 16 Sep 2021 19:27:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Thu, 16 Sep 2021 19:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Thu, 16 Sep 2021 19:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Thu, 16 Sep 2021 23:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Thu, 16 Sep 2021 23:21:05 GMT) (full text, mbox, link).
Message #26 received at 994405@bugs.debian.org (full text, mbox, reply):
On 2021-09-16 21:23:34 +0200, Anton Gladky wrote:
> Thanks for the bug report. We will fix it when CVE (if any) will be
> assigned and upstream patch will be available.
FYI, an upstream patch is now available here:
https://gmplib.org/list-archives/gmp-bugs/2021-September/005087.html
> Though, the integer overflows are not making the package unusable in
> most cases.
Yes, but they may introduce security issues, in particular here
because the behavior depends on data from a file, which may be
untrusted. That said, here it is probably wise to check that the
size is not too large in order to prevent the address space from
being exhausted.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Fri, 17 Sep 2021 05:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Fri, 17 Sep 2021 05:06:02 GMT) (full text, mbox, link).
Message #31 received at 994405@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Thanks, Vincent, for the information. I would still wait for CVE,
so we can apply a patch and track vulnerability for other
Debian versions (stable/oldstable/o-o-stable etc.).
Regards
Anton
Am Fr., 17. Sept. 2021 um 01:17 Uhr schrieb Vincent Lefevre <
vincent@vinc17.net>:
> On 2021-09-16 21:23:34 +0200, Anton Gladky wrote:
> > Thanks for the bug report. We will fix it when CVE (if any) will be
> > assigned and upstream patch will be available.
>
> FYI, an upstream patch is now available here:
>
> https://gmplib.org/list-archives/gmp-bugs/2021-September/005087.html
>
> > Though, the integer overflows are not making the package unusable in
> > most cases.
>
> Yes, but they may introduce security issues, in particular here
> because the behavior depends on data from a file, which may be
> untrusted. That said, here it is probably wise to check that the
> size is not too large in order to prevent the address space from
> being exhausted.
>
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Thu, 21 Oct 2021 17:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco Bodrato <bodrato@mail.dm.unipi.it>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Thu, 21 Oct 2021 17:30:02 GMT) (full text, mbox, link).
Message #36 received at 994405@bugs.debian.org (full text, mbox, reply):
Ciao!
There is a patch from upstream related to this issue.
https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e
Ĝis,
m
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Sat, 13 Nov 2021 20:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Adrian Bunk <bunk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Sat, 13 Nov 2021 20:12:03 GMT) (full text, mbox, link).
Message #41 received at 994405@bugs.debian.org (full text, mbox, reply):
On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote:
> Thanks, Vincent, for the information. I would still wait for CVE,
> so we can apply a patch and track vulnerability for other
> Debian versions (stable/oldstable/o-o-stable etc.).
Hi Anton,
did you manage to get a CVE assigned for this issue, or has there been
any problem with tnat?
> Regards
>
> Anton
Thanks
Adrian
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Sun, 14 Nov 2021 13:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Sun, 14 Nov 2021 13:18:02 GMT) (full text, mbox, link).
Message #46 received at 994405@bugs.debian.org (full text, mbox, reply):
Hi Adrian,
well, I was thinking that upstream should request a CVE. Neverheless
I could not reproduce the issue with the modern GCC-versions.
Even on 32bit-systems.
Regards
Anton
Am Sa., 13. Nov. 2021 um 21:09 Uhr schrieb Adrian Bunk <bunk@debian.org>:
>
> On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote:
> > Thanks, Vincent, for the information. I would still wait for CVE,
> > so we can apply a patch and track vulnerability for other
> > Debian versions (stable/oldstable/o-o-stable etc.).
>
> Hi Anton,
>
> did you manage to get a CVE assigned for this issue, or has there been
> any problem with tnat?
>
> > Regards
> >
> > Anton
>
> Thanks
> Adrian
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Sun, 14 Nov 2021 14:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Sun, 14 Nov 2021 14:45:03 GMT) (full text, mbox, link).
Message #51 received at 994405@bugs.debian.org (full text, mbox, reply):
On 2021-11-14 14:15:25 +0100, Anton Gladky wrote:
> well, I was thinking that upstream should request a CVE. Neverheless
> I could not reproduce the issue with the modern GCC-versions.
> Even on 32bit-systems.
I can still reproduce the segmentation fault under Debian/unstable.
Simplified testcase:
#include <stdio.h>
#include <gmp.h>
int main (void)
{
mpz_t s;
mpz_init (s);
mpz_inp_raw (s, stdin);
return 0;
}
Compile with gcc -m32 and execute:
printf 12345 | ./testcase
Note that even if you don't get a segmentation fault, there may be
other erratic behaviors, such as silent memory corruption (which may
be even worse).
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Sun, 14 Nov 2021 17:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Sun, 14 Nov 2021 17:48:02 GMT) (full text, mbox, link).
Message #56 received at 994405@bugs.debian.org (full text, mbox, reply):
Thanks, Vincent,
now I am able to reproduce the issue!
I will request CVE.
Regards
Anton
Am So., 14. Nov. 2021 um 15:44 Uhr schrieb Vincent Lefevre <vincent@vinc17.net>:
>
> On 2021-11-14 14:15:25 +0100, Anton Gladky wrote:
> > well, I was thinking that upstream should request a CVE. Neverheless
> > I could not reproduce the issue with the modern GCC-versions.
> > Even on 32bit-systems.
>
> I can still reproduce the segmentation fault under Debian/unstable.
> Simplified testcase:
>
> #include <stdio.h>
> #include <gmp.h>
>
> int main (void)
> {
> mpz_t s;
> mpz_init (s);
> mpz_inp_raw (s, stdin);
> return 0;
> }
>
> Compile with gcc -m32 and execute:
>
> printf 12345 | ./testcase
>
> Note that even if you don't get a segmentation fault, there may be
> other erratic behaviors, such as silent memory corruption (which may
> be even worse).
>
> --
> Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#994405
; Package libgmp10
.
(Mon, 15 Nov 2021 05:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Mon, 15 Nov 2021 05:30:02 GMT) (full text, mbox, link).
Message #61 received at 994405@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
CVE-2021-43618 is assigned to this issue.
Adrian Bunk <bunk@debian.org> schrieb am Sa., 13. Nov. 2021, 21:09:
> On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote:
> > Thanks, Vincent, for the information. I would still wait for CVE,
> > so we can apply a patch and track vulnerability for other
> > Debian versions (stable/oldstable/o-o-stable etc.).
>
> Hi Anton,
>
> did you manage to get a CVE assigned for this issue, or has there been
> any problem with tnat?
>
> > Regards
> >
> > Anton
>
> Thanks
> Adrian
>
[Message part 2 (text/html, inline)]
Changed Bug title to 'libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines (CVE-2021-43618)' from 'libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 15 Nov 2021 07:39:02 GMT) (full text, mbox, link).
Reply sent
to Anton Gladky <gladk@debian.org>
:
You have taken responsibility.
(Mon, 15 Nov 2021 22:06:03 GMT) (full text, mbox, link).
Notification sent
to Vincent Lefevre <vincent@vinc17.net>
:
Bug acknowledged by developer.
(Mon, 15 Nov 2021 22:06:03 GMT) (full text, mbox, link).
Message #68 received at 994405-close@bugs.debian.org (full text, mbox, reply):
Source: gmp
Source-Version: 2:6.2.1+dfsg-3
Done: Anton Gladky <gladk@debian.org>
We believe that the bug you reported is fixed in the latest version of
gmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 994405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated gmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Nov 2021 22:28:20 +0100
Source: gmp
Architecture: source
Version: 2:6.2.1+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Closes: 994405
Changes:
gmp (2:6.2.1+dfsg-3) unstable; urgency=medium
.
* [2da3c94] Avoid bit size overflows. CVE-2021-43618. (Closes: #994405)
* [0f172aa] Trim trailing whitespace.
* [116e367] Update watch file format version to 4.
* [a1c3867] Use secure URI in Homepage field.
* [7f358d8] Set debhelper-compat version in Build-Depends.
* [42336e5] Remove Section on libgmp10,
Section on libgmpxx4ldbl,
Priority on libgmp-dev,
Priority on libgmp10-doc,
Priority on libgmp3-dev that duplicate source.
Checksums-Sha1:
98569db59bc6a8627784efabe19a1c00373ddea4 2223 gmp_6.2.1+dfsg-3.dsc
382bfdef312d12b31b4c42a0c015a498d0ae7dab 18356 gmp_6.2.1+dfsg-3.debian.tar.xz
bb5e7217a6054c99ec08ed727596c42736a7d417 6188 gmp_6.2.1+dfsg-3_source.buildinfo
Checksums-Sha256:
b91dae1d6298e5ff75dee503c7f8128e822000e343e0a5b5d5146cc1713334bb 2223 gmp_6.2.1+dfsg-3.dsc
32d75d4e7a383a5cea701aff4a4bf609933c4d15d1f5e3b6168eed51857bc8f0 18356 gmp_6.2.1+dfsg-3.debian.tar.xz
8de6d725cbe43945d5b432164052a6c7ee8fe691132af1f833cc5d330ea717f2 6188 gmp_6.2.1+dfsg-3_source.buildinfo
Files:
18245ac2b08fb3bdff39dfcf01f828c2 2223 libs optional gmp_6.2.1+dfsg-3.dsc
2bcd8fe2eb8c34a2d5b195409313d96b 18356 libs optional gmp_6.2.1+dfsg-3.debian.tar.xz
959b271adb952a0a863a0b9dabfb44e9 6188 libs optional gmp_6.2.1+dfsg-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGS1VgACgkQ0+Fzg8+n
/wYgvA//Zi488lOcWGe65e03hqF4yvDRBrUFuFI75OLw8xlvriFEjV21NckJN2dD
/pWp48YnuxEL4HNjKKniQKzZOtkz5LSxkqxQiWmdits/t4/8ZiBe4b3eaSH/xrPd
dEsK3nadzNic7lWSgjGf6czoPOAaSuPFvjI+Pzv5MnIUD6aIvO3JafOoNbrXvDMq
kNXePl3jwDxm3XdbNbTcBAThoa759GroAceCo+kdx5Sv0Ze8Z/c0LQeyV3lcoK12
o0gUwVo4fjtGob/U7skSmQF+GfrvEi6no0TK1Q0VYwpiPvIdKxEpsO75ohHq8DfO
AhKw4oTmGJeF0ZSEm45R3lF39K8d2/oc7E2p9cEeswRXq2K5CRKAvtHWaT5Ojpns
6+z2iziX8EzO7M7JB4jxgG7HedatuAsVsMx4ZVjWb6KIsVvLG++UBesz9n303vbQ
/FNHHtgLy/jUh4Vxnuk16LCd/c2YQVeu7qvItVpDCB91XFYKX8+74udmUT8YBlro
57EWwTP9tmvt5ZoP48hUmX799NdwQuu4RuDip1skrskieSjlivW/DhTx3eggst67
BFGfgXMJchsqdFeZKoZEaN3I4h4KZ8rHW6LPP8Pm1KdVNecvV6sGjpxA6mYkRq77
NAe6ukhvNXzpRQbj7tiazYN9mA1eN23hJex7kl6S84Qt6Qwde9M=
=VQfb
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Nov 17 08:26:17 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.