Your message dated Fri, 21 Nov 2025 18:55:53 +0000
with message-id <[email protected]>
and subject line Bug#1104015: fixed in llvm-toolchain-19 1:19.1.7-16
has caused the Debian Bug report #1104015,
regarding llvm-toolchain-19: CVE-2024-7883
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104015
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: llvm-toolchain-19
Version: 1:19.1.7-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2 -3 -4
Control: reassign -2 src:llvm-toolchain-18 1:18.1.8-17
Control: retitle -2 llvm-toolchain-18: CVE-2024-7883
Control: reassing -3 src:llvm-toolchain-17 1:17.0.6-21
Control: retitle -3 llvm-toolchain-17: CVE-2024-7883
Control: reassign -4 src:llvm-toolchain-14 1:14.0.6-20
Control: retitle -4 llvm-toolchain-14: CVE-2024-7883
Hi,
The following vulnerability was published for llvm-toolchain-*.
CVE-2024-7883[0]:
| When using Arm Cortex-M Security Extensions (CMSE), Secure stack
| contents can be leaked to Non-secure state via floating-point
| registers when a Secure to Non-secure function call is made that
| returns a floating-point value and when this is the first use of
| floating-point since entering Secure state. This allows an attacker
| to read a limited quantity of Secure stack contents with an impact
| on confidentiality. This issue is specific to code generated using
| LLVM-based compilers.
This is more for tracking ad I do not expect we can have it fixed in
the respective other branches than 20.x.
In case it i still fixed:
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-7883
https://www.cve.org/CVERecord?id=CVE-2024-7883
[1]
https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2322994
[3] https://github.com/llvm/llvm-project/pull/114433
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: llvm-toolchain-19
Source-Version: 1:19.1.7-16
Done: Matthias Klose <[email protected]>
We believe that the bug you reported is fixed in the latest version of
llvm-toolchain-19, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated llvm-toolchain-19 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Nov 2025 18:18:41 +0100
Source: llvm-toolchain-19
Architecture: source
Version: 1:19.1.7-16
Distribution: unstable
Urgency: medium
Maintainer: LLVM Packaging Team <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Closes: 1104015
Changes:
llvm-toolchain-19 (1:19.1.7-16) unstable; urgency=medium
.
* d/rules: Mark usage of SLOPPY_BUILD to ease searching in the build log.
* Add a llvm.noclang build profile (not enabled by default).
* liboffload-19: Remove M-A: same attribute.
* Re(?)-enable omp on i386.
* d/control: Only use one build profile per binary package for now. The ORing
of build profiles seems to be not working.
* Rename build profiles from llvm.* to pkg.llvm.*.
* CVE-2024-7883, issue using Arm Cortex-M Security Extensions (CMSE).
Closes: #1104015.
Checksums-Sha1:
b8366a18768b8932d4372993f271691a41207ff8 12743 llvm-toolchain-19_19.1.7-16.dsc
682ee0672dd96bd63af02ea7c873f7b2b10ec1ae 178944
llvm-toolchain-19_19.1.7-16.debian.tar.xz
ca1972d7212ad1acc7d9a9eb6deacf66d02b7bc0 15227
llvm-toolchain-19_19.1.7-16_source.buildinfo
Checksums-Sha256:
2dda4cd0721909eaa8c9c7943c41bc45b35f896c4e4dcb486cc4055827e7b723 12743
llvm-toolchain-19_19.1.7-16.dsc
506d2a0c73d932a393f1fefe0e5de87b65536993bb795781b93ad337deda600e 178944
llvm-toolchain-19_19.1.7-16.debian.tar.xz
399fe6b5653aa0de73f31f64f1a29b14a98d47cf081824c1755ef3320f283231 15227
llvm-toolchain-19_19.1.7-16_source.buildinfo
Files:
73fdd856cb7800a00fcb86a5cbf02196 12743 devel optional
llvm-toolchain-19_19.1.7-16.dsc
83870826e3f3042dd2d67b6d36051dad 178944 devel optional
llvm-toolchain-19_19.1.7-16.debian.tar.xz
cb1767517ba2a825f57a5a6dd20eed67 15227 devel optional
llvm-toolchain-19_19.1.7-16_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmkgn48QHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9ZmdD/95adxFnD3snaxJxfR1weAVfHMlPwDYIOOA
qnbLaWHz19aPWYvyOxMa13kezBsCqGRCsr74tqCJXBNlelx/gPtxmNnG7eOD8ONE
IqEIeLo8xI5JhWECs5auZGWaBkQnPmx30bvmAliIFSY/1oRiZbHl214ZFF+jMqaM
RcRnE6yhpKAN3iCss7W17NQAp1FSOTQGw+Apbg3NVyX+eiTBRcbIDwklKd/W0DQN
TaA8LRMioRFG0RSwz/mmGN4dnJXGDFkdTt5/zAHjiUIMcS5StuPmmlXr6DRjGvbu
/+cJxUhvvwEzUYXM149GRuh1cJaZGMabn0GwiPA7gWQ74utQmntcRhh0d9A9YF/7
wMmQfb48onGZHsArPYIq53xdhwq5vNpxaakIPegZG6FiQiwfGLtLVYIsAW80wYt7
2xBQyy4k9T4+adtqpvsEb+A5jQ3odLv98NF/3Nb024YAwxBV4RFBALdxx8+Mjmra
sNimquixS5H2wgQ+1/UOXzp+6vUtfkHYUkamrqhY72rRF0z+HfWptsK0F0LsjXAK
ffL5w9qzlwlC7MLsad1/pGChgUDILPpE/JZCUk+nt0mpb2CHSytcQvBiTk82decS
RPHpx3vykJR8JFh7mV/wG6h+iTucbDLPj7qoJB/D4e0F2yGinQSs3Pf/4dKUzEG2
ckVyqfyahg==
=cTIy
-----END PGP SIGNATURE-----
pgpbKW1SEqdk7.pgp
Description: PGP signature
--- End Message ---
