On 29 October 2024 at 07:04, Salvatore Bonaccorso wrote: | Control: found -1 2.7.1+dfsg-5 | | Hi Dirk, | | Impresinve response time ;-)
Thanks ;-) Adding an assert was an easy and obvious 'fix' to avoid allocating badly as they had found possible via negative index. | On Mon, Oct 28, 2024 at 04:12:56PM -0500, Dirk Eddelbuettel wrote: | > | > Hi Salvatore, | > | > On 28 October 2024 at 21:55, Salvatore Bonaccorso wrote: | > | Source: gsl | > | Version: 2.8+dfsg-3 | > | Severity: important | > | Tags: security upstream | > | Forwarded: https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html | > | X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> | > | | > | Hi, | > | | > | The following vulnerability was published for gsl. | > | | > | CVE-2024-50610[0]: | > | | GSL (GNU Scientific Library) through 2.8 has an integer signedness | > | | error in gsl_siman_solve_many in siman/siman.c. When params.n_tries | > | | is negative, incorrect memory allocation occurs. | > | > Will do, and will try to coordinate with upstream who have not yet | > reacted. The same two researchers also reported in the bug-gsl list in | > September, no follow-up. [ Oh I see you have that message linked above too. ] | | Right, the CVE popped up in todays new CVEs in the CVE feelds once we | triaged the new CVEs. | | > | If you fix the vulnerability please also make sure to include the | > | CVE (Common Vulnerabilities & Exposures) id in your changelog entry. | > | > Will do. | | Thanks! | > | > | For further information see: | > | | > | [0] https://security-tracker.debian.org/tracker/CVE-2024-50610 | > | https://www.cve.org/CVERecord?id=CVE-2024-50610 | > | [1] https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html | > | | > | Please adjust the affected versions in the BTS as needed. | > | > I am a little fuzzy on that. The savannah link to the source file shows that | > siman.c has not been updated in years so I guess we would need to update | > stable too? | | I have updated the meta-data with the control command above. About | stable update: I do not think this warrants a security-update via a | DSA, but if you have a fix for stable as well, it might be included in | the next point release. This is happening on 9th November, and window | for uploads to stable closing upcoming weekend, so if you have some | spare cycles to prepare that update as well that would obviously be | great. Otherwise I do not think the issue has much urgency (correct me | if you think I'm wrong). I concur. It's a border line bug report, valid but IMHO no CVE level. I think we can let stable rest. | https://lists.debian.org/debian-release/2024/10/msg00151.html | | > Then again, it's one of many (optional) optimization routines in GSL so ... | > But if the security team feels we need to update all versions I can look into | > that / help with that. Would be best to double-check with you or someone | > else, I don't get to touch stable all that often and am likely rusty on | > details. | | Again *if* you have spare cycles and can preare an update for stable | to be included in the next point release, the following hilights the | procedure: | | https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions | | Let me know if you need any other from me. That was perfect and very helpful, thank you. If we are in agreement over stable being fine as is, we should be done here as I see it. Correct? Cheers, Dirk -- dirk.eddelbuettel.com | @eddelbuettel | [email protected]
