Bug#1057355: libmpfr6: major formatted output function bugs with %c and the value 0

2023-12-14 Thread Vincent Lefevre 
Control: tags -1 fixed-upstream

On 2023-12-03 22:13:03 +0100, Vincent Lefevre wrote:
> I've reported the following bug in the MPFR mailing-list. I think
> I've fixed the issues on the MPFR side in master, but MPFR is still
> affected by the bug on the GMP side (gmp_vasprintf):
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057344

The gmp_vasprintf function is actually correct (but its documentation
is not; and it is gmp_sprintf that is incorrect, which is not a
problem for MPFR). I've fixed the remaining bugs in MPFR.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#1057355: libmpfr6: major formatted output function bugs with %c and the value 0

2023-12-03 Thread Vincent Lefevre 
Package: libmpfr6
Version: 4.2.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://sympa.inria.fr/sympa/arc/mpfr/2023-12/msg0.html
X-Debbugs-Cc: Debian Security Team 

I've reported the following bug in the MPFR mailing-list. I think
I've fixed the issues on the MPFR side in master, but MPFR is still
affected by the bug on the GMP side (gmp_vasprintf):

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057344

The vasprintf.c code (for the formatted output functions) does not
handle null characters correctly. These characters can occur by
using %c with the value 0.

This is shown by the check_null tsprintf.c test:

  
https://gitlab.inria.fr/mpfr/mpfr/-/commit/78e72e6538fabc1b720d97e862ec45354e5c9c3f

The possible consequences are:
  - possible memory corruption with custom memory allocators that
do not ignore the size parameter of the "free" function;
  - a part of the buffer fails to be overwritten (with possible
security issues if the buffer contains sensitive data that
were expected to be overwritten);
  - an assertion failure when GNU MPFR has been configured with
assertion checking (--enable-assert).

Note that some of these issues partly come from a bug in gmp_vasprintf
(such as the incorrect return value), which I've reported here:

  https://gmplib.org/list-archives/gmp-bugs/2023-December/005420.html

I think that I have fixed these issues on the MPFR side with

  
https://gitlab.inria.fr/mpfr/mpfr/-/commit/390e51ef8570da4e338e9806ecaf2d022210d951

but the first two consequences remain due to the gmp_vasprintf bug.

-- System Information:
Debian Release: 12.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-13-amd64 (SMP w/1 CPU thread; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libmpfr6 depends on:
ii  libc6 2.36-9+deb12u3
ii  libgmp10  2:6.2.1+dfsg1-1.1

libmpfr6 recommends no packages.

libmpfr6 suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)