Subject: libmpfr6: major formatted output function bugs with %c and the value
0
Date: Sun, 3 Dec 2023 22:13:03 +0100
Package: libmpfr6
Version: 4.2.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://sympa.inria.fr/sympa/arc/mpfr/2023-12/msg00000.html
X-Debbugs-Cc: Debian Security Team <[email protected]>
I've reported the following bug in the MPFR mailing-list. I think
I've fixed the issues on the MPFR side in master, but MPFR is still
affected by the bug on the GMP side (gmp_vasprintf):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057344
The vasprintf.c code (for the formatted output functions) does not
handle null characters correctly. These characters can occur by
using %c with the value 0.
This is shown by the check_null tsprintf.c test:
https://gitlab.inria.fr/mpfr/mpfr/-/commit/78e72e6538fabc1b720d97e862ec45354e5c9c3f
The possible consequences are:
- possible memory corruption with custom memory allocators that
do not ignore the size parameter of the "free" function;
- a part of the buffer fails to be overwritten (with possible
security issues if the buffer contains sensitive data that
were expected to be overwritten);
- an assertion failure when GNU MPFR has been configured with
assertion checking (--enable-assert).
Note that some of these issues partly come from a bug in gmp_vasprintf
(such as the incorrect return value), which I've reported here:
https://gmplib.org/list-archives/gmp-bugs/2023-December/005420.html
I think that I have fixed these issues on the MPFR side with
https://gitlab.inria.fr/mpfr/mpfr/-/commit/390e51ef8570da4e338e9806ecaf2d022210d951
but the first two consequences remain due to the gmp_vasprintf bug.
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/1 CPU thread; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libmpfr6 depends on:
ii libc6 2.36-9+deb12u3
ii libgmp10 2:6.2.1+dfsg1-1.1
libmpfr6 recommends no packages.
libmpfr6 suggests no packages.
-- no debconf information
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Acknowledgement sent
to Vincent Lefevre <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <[email protected]>.
(Fri, 15 Dec 2023 03:57:03 GMT) (full text, mbox, link).
Subject: Re: libmpfr6: major formatted output function bugs with %c and the
value 0
Date: Fri, 15 Dec 2023 04:53:51 +0100
Control: tags -1 fixed-upstream
On 2023-12-03 22:13:03 +0100, Vincent Lefevre wrote:
> I've reported the following bug in the MPFR mailing-list. I think
> I've fixed the issues on the MPFR side in master, but MPFR is still
> affected by the bug on the GMP side (gmp_vasprintf):
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057344
The gmp_vasprintf function is actually correct (but its documentation
is not; and it is gmp_sprintf that is incorrect, which is not a
problem for MPFR). I've fixed the remaining bugs in MPFR.
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Acknowledgement sent
to Paul Gevers <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <[email protected]>.
(Sun, 23 Mar 2025 10:21:01 GMT) (full text, mbox, link).
Hi Vincent,
On Fri, 15 Dec 2023 04:53:51 +0100 Vincent Lefevre <[email protected]>
wrote:
> On 2023-12-03 22:13:03 +0100, Vincent Lefevre wrote:
> > I've reported the following bug in the MPFR mailing-list. I think
> > I've fixed the issues on the MPFR side in master, but MPFR is still
> > affected by the bug on the GMP side (gmp_vasprintf):
> >
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057344
>
> The gmp_vasprintf function is actually correct (but its documentation
> is not; and it is gmp_sprintf that is incorrect, which is not a
> problem for MPFR). I've fixed the remaining bugs in MPFR.
In which version is this fixed? 4.2.2?
Paul
Acknowledgement sent
to Vincent Lefevre <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <[email protected]>.
(Sun, 23 Mar 2025 10:39:01 GMT) (full text, mbox, link).
Subject: Re: libmpfr6: major formatted output function bugs with %c and the
value 0
Date: Sun, 23 Mar 2025 11:37:45 +0100
Hi Paul,
On 2025-03-23 11:17:52 +0100, Paul Gevers wrote:
> Hi Vincent,
>
> On Fri, 15 Dec 2023 04:53:51 +0100 Vincent Lefevre <[email protected]>
> wrote:
> > On 2023-12-03 22:13:03 +0100, Vincent Lefevre wrote:
> > > I've reported the following bug in the MPFR mailing-list. I think
> > > I've fixed the issues on the MPFR side in master, but MPFR is still
> > > affected by the bug on the GMP side (gmp_vasprintf):
> > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057344
> >
> > The gmp_vasprintf function is actually correct (but its documentation
> > is not; and it is gmp_sprintf that is incorrect, which is not a
> > problem for MPFR). I've fixed the remaining bugs in MPFR.
>
> In which version is this fixed? 4.2.2?
Yes, it is fixed in 4.2.2, but this assumes that GMP does not use
its buggy vsnprintf replacement (i.e. it uses either the system
vsnprintf function or the replacement that was patched one year
ago in the development branch). I suppose that for Debian, the
system vsnprintf function is used on all platforms (this is decided
at GMP build time, after some tests for C conformance in GMP's
configure script).
If the buggy vsnprintf replacement is used, the MPFR testsuite would
fail. I've put the following section in the INSTALL file about such
a failure:
------------------------------------------------------------------------
tfprintf and tsprintf failures in check_null
--------------------------------------------
If you get the failures
$ ./tfprintf
Error in test #40: mpfr_vfprintf printed 1 characters instead of 4
$ ./tsprintf
Error in check_null, i = 0
expected r = 1, s = { 0, 0, 1 }
got r = 0, s = { 0, 1, 1 }
the cause is probably that GMP uses a buggy vsnprintf replacement.
The reason GMP uses its own vsnprintf replacement is that during
configure, it detected that the vsnprintf function from the C library
is buggy. But the replacement from GMP 6.3.0 and below also has its own
bugs. This means that using the formatted output functions with %c and
the value 0 will yield an erratic behavior.
For the above issue, this is fixed in the GMP development branch:
https://gmplib.org/repo/gmp/rev/4ac76064639e
You can have details at
https://gmplib.org/list-archives/gmp-bugs/2023-December/005420.htmlhttps://gitlab.inria.fr/mpfr/mpfr/-/commit/390e51ef85
These tests can be skipped by defining the MPFR_TESTS_SKIP_CHECK_NULL macro,
but you should rather get a fixed vsnprintf replacement.
------------------------------------------------------------------------
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Acknowledgement sent
to Fiona Ebner <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <[email protected]>.
(Fri, 11 Apr 2025 14:30:01 GMT) (full text, mbox, link).
Subject: Re: libmpfr6: major formatted output function bugs with %c and the
value 0
Date: Fri, 11 Apr 2025 16:19:28 +0200
Hi,
On Sun, 23 Mar 2025 11:37:45 +0100 Vincent Lefevre <[email protected]>
wrote:
> Hi Paul,
>
> On 2025-03-23 11:17:52 +0100, Paul Gevers wrote:
> > Hi Vincent,
> >
> > On Fri, 15 Dec 2023 04:53:51 +0100 Vincent Lefevre <[email protected]>
> > wrote:
> > > On 2023-12-03 22:13:03 +0100, Vincent Lefevre wrote:
> > > > I've reported the following bug in the MPFR mailing-list. I think
> > > > I've fixed the issues on the MPFR side in master, but MPFR is still
> > > > affected by the bug on the GMP side (gmp_vasprintf):
> > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057344
> > >
> > > The gmp_vasprintf function is actually correct (but its documentation
> > > is not; and it is gmp_sprintf that is incorrect, which is not a
> > > problem for MPFR). I've fixed the remaining bugs in MPFR.
> >
> > In which version is this fixed? 4.2.2?
>
> Yes, it is fixed in 4.2.2, but this assumes that GMP does not use
> its buggy vsnprintf replacement (i.e. it uses either the system
> vsnprintf function or the replacement that was patched one year
> ago in the development branch). I suppose that for Debian, the
> system vsnprintf function is used on all platforms (this is decided
> at GMP build time, after some tests for C conformance in GMP's
> configure script).
>
> If the buggy vsnprintf replacement is used, the MPFR testsuite would
> fail. I've put the following section in the INSTALL file about such
> a failure:
>
> ------------------------------------------------------------------------
> tfprintf and tsprintf failures in check_null
> --------------------------------------------
>
> If you get the failures
>
> $ ./tfprintf
> Error in test #40: mpfr_vfprintf printed 1 characters instead of 4
>
> $ ./tsprintf
> Error in check_null, i = 0
> expected r = 1, s = { 0, 0, 1 }
> got r = 0, s = { 0, 1, 1 }
>
> the cause is probably that GMP uses a buggy vsnprintf replacement.
> The reason GMP uses its own vsnprintf replacement is that during
> configure, it detected that the vsnprintf function from the C library
> is buggy. But the replacement from GMP 6.3.0 and below also has its own
> bugs. This means that using the formatted output functions with %c and
> the value 0 will yield an erratic behavior.
>
> For the above issue, this is fixed in the GMP development branch:
>
> https://gmplib.org/repo/gmp/rev/4ac76064639e
>
> You can have details at
> https://gmplib.org/list-archives/gmp-bugs/2023-December/005420.html
> https://gitlab.inria.fr/mpfr/mpfr/-/commit/390e51ef85
>
I was able to successfully build mpfr4_4.2.2-1.dsc using sbuild. I can
see that "make check" is invoked as part of that and the "tfprintf" and
"tsprintf" test cases pass. So it seems like this bug can be closed.
Best Regards,
Fiona
Reply sent
to Vincent Lefevre <[email protected]>:
You have taken responsibility.
(Fri, 11 Apr 2025 14:51:03 GMT) (full text, mbox, link).
Notification sent
to Vincent Lefevre <[email protected]>:
Bug acknowledged by developer.
(Fri, 11 Apr 2025 14:51:03 GMT) (full text, mbox, link).
Subject: Re: Bug#1057355: libmpfr6: major formatted output function bugs with
%c and the value 0
Date: Fri, 11 Apr 2025 16:48:54 +0200
Version: 4.2.2-1
On 2025-04-11 16:19:28 +0200, Fiona Ebner wrote:
> I was able to successfully build mpfr4_4.2.2-1.dsc using sbuild. I can
> see that "make check" is invoked as part of that and the "tfprintf" and
> "tsprintf" test cases pass. So it seems like this bug can be closed.
Yes, the MPFR behavior concerning %c and the value 0 should not be
affected by the GMP bug in Debian, where vsnprintf is expected to
be correct on all architectures.
So, closing.
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.