Bug#1057355: libmpfr6: major formatted output function bugs with %c and the value 0

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1057355: libmpfr6: major formatted output function bugs with %c and the value 0
From: Vincent Lefevre <vincent@vinc17.net>
Date: Sun, 3 Dec 2023 22:13:03 +0100
Message-id: <[🔎] 20231203211303.GA980474@joooj.vinc17.net>
Reply-to: Vincent Lefevre <vincent@vinc17.net>, 1057355@bugs.debian.org

Package: libmpfr6
Version: 4.2.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://sympa.inria.fr/sympa/arc/mpfr/2023-12/msg00000.html
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

I've reported the following bug in the MPFR mailing-list. I think
I've fixed the issues on the MPFR side in master, but MPFR is still
affected by the bug on the GMP side (gmp_vasprintf):

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057344

The vasprintf.c code (for the formatted output functions) does not
handle null characters correctly. These characters can occur by
using %c with the value 0.

This is shown by the check_null tsprintf.c test:

  https://gitlab.inria.fr/mpfr/mpfr/-/commit/78e72e6538fabc1b720d97e862ec45354e5c9c3f

The possible consequences are:
  - possible memory corruption with custom memory allocators that
    do not ignore the size parameter of the "free" function;
  - a part of the buffer fails to be overwritten (with possible
    security issues if the buffer contains sensitive data that
    were expected to be overwritten);
  - an assertion failure when GNU MPFR has been configured with
    assertion checking (--enable-assert).

Note that some of these issues partly come from a bug in gmp_vasprintf
(such as the incorrect return value), which I've reported here:

  https://gmplib.org/list-archives/gmp-bugs/2023-December/005420.html

I think that I have fixed these issues on the MPFR side with

  https://gitlab.inria.fr/mpfr/mpfr/-/commit/390e51ef8570da4e338e9806ecaf2d022210d951

but the first two consequences remain due to the gmp_vasprintf bug.

-- System Information:
Debian Release: 12.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-13-amd64 (SMP w/1 CPU thread; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libmpfr6 depends on:
ii  libc6     2.36-9+deb12u3
ii  libgmp10  2:6.2.1+dfsg1-1.1

libmpfr6 recommends no packages.

libmpfr6 suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Bug#1057355: libmpfr6: major formatted output function bugs with %c and the value 0
  - From: Vincent Lefevre <vincent@vinc17.net>
- Processed: Re: libmpfr6: major formatted output function bugs with %c and the value 0
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Results for 13.2.0 (Debian 13.2.0-8) testsuite on s390x-ibm-linux-gnu
Next by Date: Re: Enabling PAC/BTI support on arm64
Previous by thread: Results for 13.2.0 (Debian 13.2.0-8) testsuite on s390x-ibm-linux-gnu
Next by thread: Bug#1057355: libmpfr6: major formatted output function bugs with %c and the value 0
Index(es):
- Date
- Thread