Ubuntu
libgsm package

ZDI-CAN-9867: Canonical libgsm AssertFailure

Bug #1860414 reported by Zero Day Initiative
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libgsm (Ubuntu)
New
Undecided
Unassigned

Bug Description

ZDI-CAN-9867: Canonical libgsm AssertFailure

-- CVSS -----------------------------------------

0.0: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Libgsm - libgsm

-- VULNERABILITY DETAILS ------------------------

Version tested: 1.0.18-2
Installer file: https://code.launchpad.net/ubuntu/+source/libgsm
Platform tested: Ubuntu
Analysis
Please see attached documentation for full vulnerability details.

gsm: src/add.c:220: word gsm_div(word, word): Assertion `num >= 0 && denum >= num' failed.

-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Lacne Jiang of Trend Micro

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
<email address hidden>

The PGP key used for all ZDI vendor communications is available from:

http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Revision history for this message
Zero Day Initiative (thezdi) wrote :
Alex Murray (alexmurray)
information type: Public → Public Security
Revision history for this message
Alex Murray (alexmurray) wrote :

Has this been reported to the upstream libgsm developers?

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.