Bug#772008: CVE request: mpfr: buffer overflow in mpfr_strtofr
On Tue, 30 Dec 2014, Moritz Muehlenhoff wrote:
On Mon, Dec 08, 2014 at 01:45:12PM +0100, Vasyl Kaigorodov wrote:
Hello,
A buffer overflow was reported [1] in mpfr.
This is due to incorrect GMP documentation for mpn_set_str about the
size of a buffer (discussion is at [1]; first fix in the GMP
documentation is at [2]). This bug is present in the MPFR versions
from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by
running "make check" in a 32-bit ABI under GNU/Linux with alloca
disabled (this is currently possible by using the --with-gmp-build
configure option where alloca has been disabled in the GMP build). It
is fixed by the strtofr patch [3].
Corresponding changeset in the 3.1 branch: 9110 [4].
[1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
[2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74
[3]: http://www.mpfr.org/mpfr-3.1.2/patch11
[4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110
References:
- https://bugzilla.redhat.com/show_bug.cgi?id=1171701
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772008
Can a CVE be assigned to this please?
Use CVE-2014-9474.
---
CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Reply to: