Your message dated Sat, 05 Apr 2025 13:34:09 +0000
with message-id <[email protected]>
and subject line Bug#1098903: fixed in abseil 20240722.0-3
has caused the Debian Bug report #1098903,
regarding abseil: CVE-2025-0838
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1098903: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098903
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: abseil
Version: 20230802.1-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 20220623.1-1
Hi,
The following vulnerability was published for abseil.
CVE-2025-0838[0]:
| There exists a heap buffer overflow vulnerable in Abseil-cpp. The
| sized constructors, reserve(), and rehash() methods of
| absl::{flat,node}hash{set,map} did not impose an upper bound on
| their size argument. As a result, it was possible for a caller to
| pass a very large size that would cause an integer overflow when
| computing the size of the container's backing store, and a
| subsequent out-of-bounds memory write. Subsequent accesses to the
| container might also access out-of-bounds memory. We recommend
| upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-0838
https://www.cve.org/CVERecord?id=CVE-2025-0838
[1]
https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: abseil
Source-Version: 20240722.0-3
Done: Tobias Frost <[email protected]>
We believe that the bug you reported is fixed in the latest version of
abseil, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <[email protected]> (supplier of updated abseil package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Apr 2025 14:59:48 +0200
Source: abseil
Architecture: source
Version: 20240722.0-3
Distribution: unstable
Urgency: medium
Maintainer: Benjamin Barenblat <[email protected]>
Changed-By: Tobias Frost <[email protected]>
Closes: 1098903
Changes:
abseil (20240722.0-3) unstable; urgency=medium
.
* Team upload.
* Backport fix for CVE-2025-0838. Closes: #1098903
Checksums-Sha1:
0e6d87aa59f789d7e59a727ee20a044eff9cdea0 2474 abseil_20240722.0-3.dsc
6a6c808e4b87e9572820acb2b2e42fa654d8ef17 10992
abseil_20240722.0-3.debian.tar.xz
4e017df939445b9d7abf83887886ac1f10b2767f 7453
abseil_20240722.0-3_amd64.buildinfo
Checksums-Sha256:
20a3e6d9907f4d33219518246bb28996826daa1bcbc51ca8d840d978d4e5d4b4 2474
abseil_20240722.0-3.dsc
c7c4683242b334b5cd1debc2ca9485d5fb0942974a0a6ecfd034189cce0c472f 10992
abseil_20240722.0-3.debian.tar.xz
98a3376468470bfb84fc3a6704bbbe63bee668e78d99379129e8f3206ab87219 7453
abseil_20240722.0-3_amd64.buildinfo
Files:
13a3358e3cdca536c34d9aecab6eac4a 2474 libs optional abseil_20240722.0-3.dsc
c9a979acdf13b28dcf7b1c66566312bf 10992 libs optional
abseil_20240722.0-3.debian.tar.xz
f880d05d8bb4d745eb619065d0a2ffd2 7453 libs optional
abseil_20240722.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmfxK0YACgkQkWT6HRe9
XTYCmQ//YYd73iZFuOFZOAXQmh9x3aJYYw4Um1KJX8zUBhWG+ict3cgtwkhF56FL
GPRE2gOANjjYKruJeIet/hZJsg3czmhJnUfHH/GV1YCZ8iYkt57J77qL/nn+eutu
IJSV9nq9L4s/Pf0RMjfPQ7p4Ho0q4YYUgDpPtEekQpIPVhI4tb+yx6PaD0NFWuHV
On3JDX0MaX7Cp9QEMY06xZuRiZWZmFL9osDAhHjj4tJbUy6RT0/cxgGs8k49uB1s
PnHlcKzAd6ZzgqMiwnOn2uyzHRNZmmEojO0GQm1sd0waC3N4MCJ0bMNUXF+dLZxC
S6PTWV+mqE8OeK2mplZSc6lbR2dc4J6NRvvDfPoNkBtE2HXgAVMhRzxzAAKXCJue
TYy6zxDxdIkmq4bprcczklN9WnmT+betziSMA+OAX85ERuIqKHs295noPJLCUv2/
S7AD/QrMyYcP45pxDlsIh6/FXYcRtbRhPA1VkqK8oUVSDeaMHo7aVO6uSFO876lk
4Z+1XwbLLbQepq2ZzajuJl8CcxDoOUlK0XtXq3Iu+V8MaTtz2vohpPEVf/Yb3fBm
G9jmz1fAd+joDFA2wve/lo5xR1Zqi6NjCnxPV/7PO+VlG/xVELPqYkwOlde7ylim
QJ28zPmeGaAHRrE/KoT+OD7EmFEbbkH161XNcXrJhm3z9AQPy5Y=
=X0iL
-----END PGP SIGNATURE-----
pgpaj7Fr5YQGP.pgp
Description: PGP signature
--- End Message ---
