[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] over 2000 packages depend on abort()ing libgmp
From: Matthew Fernandez <matthew.fernandez () gmail ! com>
Date: 2022-09-16 3:44:24
Message-ID: c458e492-0096-9d3b-5949-67e527e04a62 () gmail ! com
[Download RAW message or body]
On 9/14/22 04:44, Georgi Guninski wrote:
> ping world
>
> libgmp is library about big numbers.
>
> it is not a library for very big numbers, because
> if libgmp meets a very big number, it calls abort()
> and coredumps.
>
> 2442 packages depend on libgmp on ubuntu20.
>
> guest3@ubuntu20:~/prim$ apt-cache rdepends libgmp10 | wc -l
> 2442
>
> gawk crash:
>
> guest3@ubuntu20:~/prim$ gawk --bignum 'BEGIN { a = 2 ^ 2 ^41; print "a =", a }'
> gmp: overflow in mpz type
> Aborted (core dumped)
>
> guest3@ubuntu20:~/prim$ gawk 'BEGIN { a = 2 ^ 2 ^41; print "a =", a }'
> a = +inf
What is the security boundary being violated here? As a maintainer of
some of the packages implicated here, I'm unsure what my actionable
tasks are. The threat model(s) for my packages does not consider crashes
to be a security violation. On the other side, things like crypto code
frequently use their own non-GMP implementation of bignum arith for this
(and other) reason.
Not trying to brush this off. But I'm just trying to gain an
understanding of what the expected remediation is here.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic