lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 15 Sep 2022 20:44:24 -0700
From: Matthew Fernandez <>
To: Georgi Guninski <>,
Subject: Re: [FD] over 2000 packages depend on abort()ing libgmp

On 9/14/22 04:44, Georgi Guninski wrote:
> ping world
> libgmp is library about big numbers.
> it is not a library for very big numbers, because
> if libgmp meets a very big number, it calls abort()
> and coredumps.
> 2442 packages depend on libgmp on ubuntu20.
> guest3@...ntu20:~/prim$ apt-cache rdepends libgmp10 | wc -l
> 2442
> gawk crash:
> guest3@...ntu20:~/prim$ gawk --bignum 'BEGIN { a = 2 ^ 2 ^41; print "a =", a }'
> gmp: overflow in mpz type
> Aborted (core dumped)
> guest3@...ntu20:~/prim$ gawk 'BEGIN { a = 2 ^ 2 ^41; print "a =", a }'
> a = +inf

What is the security boundary being violated here? As a maintainer of 
some of the packages implicated here, I’m unsure what my actionable 
tasks are. The threat model(s) for my packages does not consider crashes 
to be a security violation. On the other side, things like crypto code 
frequently use their own non-GMP implementation of bignum arith for this 
(and other) reason.

Not trying to brush this off. But I’m just trying to gain an 
understanding of what the expected remediation is here.
Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists