Bug 911812 - (CVE-2014-9474) VUL-0: CVE-2014-9474: mpfr: buffer overflow in mpfr_strtofr
(CVE-2014-9474)
VUL-0: CVE-2014-9474: mpfr: buffer overflow in mpfr_strtofr
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/112052/
maint:released:sle10-sp3:60355 maint...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-06 10:53 UTC by Victor Pereira
Modified: 2016-06-07 11:43 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-06 10:53:46 UTC
CVE-2014-9474

A buffer overflow was reported [1] in mpfr.
This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (discussion is at [1]; first fix in the GMP documentation is at [2]). This bug is present in the MPFR versions from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by running "make check" in a 32-bit ABI under GNU/Linux with alloca disabled (this is currently possible by using the --with-gmp-build configure option where alloca has been disabled in the GMP build). It is fixed by the strtofr patch [3].
Corresponding changeset in the 3.1 branch: 9110 [4].


References:
[1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
[2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74
[3]: http://www.mpfr.org/mpfr-3.1.2/patch11
[4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110
https://bugzilla.redhat.com/show_bug.cgi?id=1171701
Comment 1 Swamp Workflow Management 2015-01-06 23:00:33 UTC
bugbot adjusting priority
Comment 2 Richard Biener 2015-01-08 10:12:15 UTC
I'm fixing this for Factory now, I suppose the fact that we do not have alloca
disabled and thus this will overwrite stack space instead of heap makes this
more interesting to exploit.  Still the issue should be very low priority
as you can only exploit programs that actually use mpfr and the mentioned
function on user input.  It shouldn't have gotten a CVE entry (even all
other know bugs in 3.1.2 could possibly be security relevant as wrong
answers from any API in any library could lead to wrong guesses about
buffer sizes).

Well.  Just fixing the CVE issue.
Comment 3 Richard Biener 2015-01-08 10:38:39 UTC
Submitted to Factory, updates for SLE12, SLE11 and SLE10 SP2 in preparation.
Please start the update workflow (I see a comment from Swamp Workflow Management
but cannot find a reference to the SWAMP ID).
Comment 4 Bernhard Wiedemann 2015-01-08 11:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (911812) was mentioned in
https://build.opensuse.org/request/show/280281 Factory / mpfr
Comment 7 Swamp Workflow Management 2015-01-13 15:21:26 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-02-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60212
Comment 8 Richard Biener 2015-01-14 09:37:47 UTC
Messages from smash regarding products SLE-10-SP3-TERADATA,
SLE-11-SP3 and SLE-11-SP1-TERADATA are confusing (see SRs above, all those
products should inherit updates from lower service packs).

Thus, finished, re-assigning.
Comment 10 Swamp Workflow Management 2015-02-04 10:05:03 UTC
SUSE-SU-2015:0208-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 911812
CVE References: CVE-2014-9474
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    mpfr-3.1.2-7.1
SUSE Linux Enterprise Server 12 (src):    mpfr-3.1.2-7.1
SUSE Linux Enterprise Desktop 12 (src):    mpfr-3.1.2-7.1
Comment 11 Swamp Workflow Management 2015-02-05 00:08:00 UTC
SUSE-SU-2015:0219-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 911812
CVE References: CVE-2014-9474
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    mpfr-2.3.2-3.118.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    mpfr-2.3.2-3.118.1
SUSE Linux Enterprise Server 11 SP3 (src):    mpfr-2.3.2-3.118.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    mpfr-2.3.2-3.118.1
Comment 12 Victor Pereira 2015-02-16 09:47:48 UTC
released