Bugzilla – Bug 911812
VUL-0: CVE-2014-9474: mpfr: buffer overflow in mpfr_strtofr
Last modified: 2016-06-07 11:43:09 UTC
CVE-2014-9474 A buffer overflow was reported [1] in mpfr. This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (discussion is at [1]; first fix in the GMP documentation is at [2]). This bug is present in the MPFR versions from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by running "make check" in a 32-bit ABI under GNU/Linux with alloca disabled (this is currently possible by using the --with-gmp-build configure option where alloca has been disabled in the GMP build). It is fixed by the strtofr patch [3]. Corresponding changeset in the 3.1 branch: 9110 [4]. References: [1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html [2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74 [3]: http://www.mpfr.org/mpfr-3.1.2/patch11 [4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110 https://bugzilla.redhat.com/show_bug.cgi?id=1171701
bugbot adjusting priority
I'm fixing this for Factory now, I suppose the fact that we do not have alloca disabled and thus this will overwrite stack space instead of heap makes this more interesting to exploit. Still the issue should be very low priority as you can only exploit programs that actually use mpfr and the mentioned function on user input. It shouldn't have gotten a CVE entry (even all other know bugs in 3.1.2 could possibly be security relevant as wrong answers from any API in any library could lead to wrong guesses about buffer sizes). Well. Just fixing the CVE issue.
Submitted to Factory, updates for SLE12, SLE11 and SLE10 SP2 in preparation. Please start the update workflow (I see a comment from Swamp Workflow Management but cannot find a reference to the SWAMP ID).
This is an autogenerated message for OBS integration: This bug (911812) was mentioned in https://build.opensuse.org/request/show/280281 Factory / mpfr
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-02-10. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60212
Messages from smash regarding products SLE-10-SP3-TERADATA, SLE-11-SP3 and SLE-11-SP1-TERADATA are confusing (see SRs above, all those products should inherit updates from lower service packs). Thus, finished, re-assigning.
SUSE-SU-2015:0208-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 911812 CVE References: CVE-2014-9474 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): mpfr-3.1.2-7.1 SUSE Linux Enterprise Server 12 (src): mpfr-3.1.2-7.1 SUSE Linux Enterprise Desktop 12 (src): mpfr-3.1.2-7.1
SUSE-SU-2015:0219-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 911812 CVE References: CVE-2014-9474 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): mpfr-2.3.2-3.118.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): mpfr-2.3.2-3.118.1 SUSE Linux Enterprise Server 11 SP3 (src): mpfr-2.3.2-3.118.1 SUSE Linux Enterprise Desktop 11 SP3 (src): mpfr-2.3.2-3.118.1
released