| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c458e492-0096-9d3b-5949-67e527e04a62@gmail.com>
Date: Thu, 15 Sep 2022 20:44:24 -0700
From: Matthew Fernandez <matthew.fernandez@...il.com>
To: Georgi Guninski <gguninski@...il.com>, fulldisclosure@...lists.org
Subject: Re: [FD] over 2000 packages depend on abort()ing libgmp
On 9/14/22 04:44, Georgi Guninski wrote:
> ping world
>
> libgmp is library about big numbers.
>
> it is not a library for very big numbers, because
> if libgmp meets a very big number, it calls abort()
> and coredumps.
>
> 2442 packages depend on libgmp on ubuntu20.
>
> guest3@...ntu20:~/prim$ apt-cache rdepends libgmp10 | wc -l
> 2442
>
> gawk crash:
>
> guest3@...ntu20:~/prim$ gawk --bignum 'BEGIN { a = 2 ^ 2 ^41; print "a =", a }'
> gmp: overflow in mpz type
> Aborted (core dumped)
>
> guest3@...ntu20:~/prim$ gawk 'BEGIN { a = 2 ^ 2 ^41; print "a =", a }'
> a = +inf
What is the security boundary being violated here? As a maintainer of
some of the packages implicated here, I’m unsure what my actionable
tasks are. The threat model(s) for my packages does not consider crashes
to be a security violation. On the other side, things like crypto code
frequently use their own non-GMP implementation of bignum arith for this
(and other) reason.
Not trying to brush this off. But I’m just trying to gain an
understanding of what the expected remediation is here.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists