Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 532028 (CVE-2014-9474)

Summary: <dev-libs/mpfr-3.1.3_p4: buffer overflow in mpfr_strtofr (CVE-2014-9474)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1171701
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-12-09 08:34:37 UTC 
From ${URL} :

A buffer overflow was reported [1] in mpfr.
This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (discussion 
is at [1]; first fix in the GMP documentation is at [2]). This bug is present in the MPFR versions 
from 2.1.0 (adding mpfr_strtofr) to this one, and can be detected by running "make check" in a 
32-bit ABI under GNU/Linux with alloca disabled (this is currently possible by using the 
--with-gmp-build configure option where alloca has been disabled in the GMP build). It is fixed by 
the strtofr patch [3].
Corresponding changeset in the 3.1 branch: 9110 [4].

[1]: https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html
[2]: https://gmplib.org/repo/gmp-5.1/raw-rev/d19172622a74
[3]: http://www.mpfr.org/mpfr-3.1.2/patch11
[4]: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9110


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2015-08-21 21:48:25 UTC 
should be fixed by 3.1.3 in the tree and is fine to stabilize
Comment 2 SpanKY gentoo-dev 2015-10-02 19:45:24 UTC 
arch teams: please stabilize mpfr-3.1.3_p4
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-10-03 18:19:21 UTC 
Stable for HPPA PPC64.
Comment 4 Anthony Basile gentoo-dev 2015-10-03 18:29:21 UTC 
stable for ppc
Comment 5 Agostino Sarubbo gentoo-dev 2015-10-04 09:31:34 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-10-04 09:32:14 UTC 
x86 stable
Comment 7 Markus Meier gentoo-dev 2015-10-17 11:00:08 UTC 
arm stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2015-10-21 12:48:33 UTC 
Stable on alpha.
Comment 9 SpanKY gentoo-dev 2015-10-24 16:25:37 UTC 
i've done the rest now
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 03:55:29 UTC 
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 11:07:36 UTC 
This issue was resolved and addressed in
 GLSA 201512-06 at https://security.gentoo.org/glsa/201512-06
by GLSA coordinator Yury German (BlueKnight).
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-12-30 11:10:30 UTC 
Re-Opening for cleanup. 

Maintainers, the GLSA has been released please clean up the Vulnerable versions.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 08:25:36 UTC 
Maintainer(s), please drop the vulnerable version(s).