Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 260968 (CVE-2009-0757)

Summary: <dev-libs/mpfr-2.4.1 mpfr_snprintf and mpfr_vsnprintf buffer overflow (CVE-2009-0757)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: toolchain
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mpfr.org/mpfr-2.4.1
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-02 17:22:01 UTC
On Monday 02 March 2009, Pinar Yanardag wrote:
> A buffer overflow vulnerability has been fixed in the latest version
> of mpfr. From GNU mpfr changelog [1]:
>
> --->8---
> Changes from version 2.4.0 to version 2.4.1
> * Security fix in mpfr_snprintf and mpfr_vsnprintf (buffer overflow).
>
> --->8---
>
> [1]: http://www.mpfr.org/mpfr-2.4.1
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-02 17:24:21 UTC
Is 2.4.1 good to go for stabling?
Comment 2 SpanKY gentoo-dev 2009-03-03 00:23:09 UTC
np
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 03:37:59 UTC
Arches, please test and mark stable:
=dev-libs/mpfr-2.4.1_p1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers gentoo-dev 2009-03-03 05:37:24 UTC
Stable for HPPA.
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-03-04 16:46:27 UTC
ppc64 done
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 17:08:50 UTC
CVE-2009-0757 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0757):
  Multiple buffer overflows in GNU MPFR 2.4.0 allow context-dependent
  attackers to cause a denial of service (crash) via the (1)
  mpfr_snprintf and (2) mpfr_vsnprintf functions.

Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2009-03-04 17:41:39 UTC
Sparc stable, "All 148 tests pass."
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-04 19:50:14 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2009-03-07 10:53:36 UTC
amd64/x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-03-07 14:22:52 UTC
alpha/arm/ia64/s390/sh stable
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-03-09 13:08:10 UTC
GLSA 200903-13