Description of problem: I'm seeing a failure of PHP's GMP functions on certain values. Version-Release number of selected component (if applicable): Our PHP is 4.3.9-3.22.9. How reproducible: run the following PHP code: <?php $total=gmp_init(120); $v=gmp_mul(1000, 0); // which is, of course, 0. Right? Therein lies the rub. // $v=gmp_init(0); // if we include this line to make it 0, all's well echo "before add: total is ".gmp_strval($total).", v is ".gmp_strval($v)."\n"; $total = gmp_add($total,$v); echo "after add: total should be 120, and is actually: ".gmp_strval($total)."\n "; ?> Steps to Reproduce: 1. create a file "gmp_test.php" with the code above 2. run "php gmp_test.php" from the command line Actual results: before add: total is 120, v is 0 after add: total should be 120, and is actually: 0 Expected results: before add: total is 120, v is 0 after add: total should be 120, and is actually: 120 Additional info: This problem is not present on php-5.1.6-3.6.fc6 running on a FC6 system. It is present on a CentOS 4.5 system with php-4.3.9-3.22.5.
This bug results in errors in GMP calcuations; since GMP is sometimes used to implement RSA and other crytpographic schemes (for example, the Crypt_RSA package from PEAR), it does have some security relevance.
Joe, can you add a comment on this? What's causing this flaw. Is it something we need to worry about from a security perspective?
This looks like upstream #32773, where passing zero as a second parameter to various gmp_ functions cause them to fail. I can't see any security implications from such usage. You can work around it by switching the order of the arguments to gmp_add in the test case.
Thanks for the quick response, Joe. Annoying that my search on bugs.php.net for "GMP" didn't find this. Any chance of the fix for this getting backported to RHEL 4.5?
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1013.html