Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20230514214121.GA18829@openwall.com>
Date: Sun, 14 May 2023 23:41:21 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Real world vulnerabilities of CWE-1077: Floating Point Comparison with Incorrect Operator?

On Mon, Apr 24, 2023 at 04:43:29PM +0300, Georgi Guninski wrote:
> Are there real world examples of vulnerabilities of this:
> 
> https://cwe.mitre.org/data/definitions/1077.html
> CWE-1077: Floating Point Comparison with Incorrect Operator
> 
> This issue can prevent the product from running reliably. If the
> relevant code is reachable by an attacker, then this reliability
> problem might introduce a vulnerability.
> 
> One simple example in python:
> 
> >>> A=(0.1+0.2)+0.3;B=0.1+(0.2+0.3);(A==B,A-B,A,B)
> (False, 1.1102230246251565e-16, 0.6000000000000001, 0.6)

See this thread:

https://www.openwall.com/lists/oss-security/2011/01/05/2

"Since this problem stems from a single codebase, strtod.c, so it gets a
single CVE identifier (already assigned CVE-2010-4645).  The CVE
description will "blame" strtod.c and mention PHP, and any other
high-profile software that is discovered to use the same vulnerable,
shared code."

CVE-2010-4645 description currently in NVD is:

"strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17
and 5.3 before 5.3.5, and other products, allows context-dependent
attackers to cause a denial of service (infinite loop) via a certain
floating-point value in scientific notation, which is not properly
handled in x87 FPU registers, as demonstrated using
2.2250738585072011e-308."

Interestingly, at least PHP's fix at the time wasn't to avoid the direct
comparison, but to avoid having the floating-point values stay in x87 FP
registers.  This should be sufficient to workaround GCC "bug" 323, but
it might not be robust across platforms and it does not fix CWE-1077.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.