Hi Dirk, On Tue, Oct 29, 2024 at 09:10:45AM -0500, Dirk Eddelbuettel wrote: > > On 29 October 2024 at 07:04, Salvatore Bonaccorso wrote: > | Control: found -1 2.7.1+dfsg-5 > | > | Hi Dirk, > | > | Impresinve response time ;-) > > Thanks ;-) > > Adding an assert was an easy and obvious 'fix' to avoid allocating badly as > they had found possible via negative index. > > | On Mon, Oct 28, 2024 at 04:12:56PM -0500, Dirk Eddelbuettel wrote: > | > > | > Hi Salvatore, > | > > | > On 28 October 2024 at 21:55, Salvatore Bonaccorso wrote: > | > | Source: gsl > | > | Version: 2.8+dfsg-3 > | > | Severity: important > | > | Tags: security upstream > | > | Forwarded: > https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html > | > | X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > | > | > | > | Hi, > | > | > | > | The following vulnerability was published for gsl. > | > | > | > | CVE-2024-50610[0]: > | > | | GSL (GNU Scientific Library) through 2.8 has an integer signedness > | > | | error in gsl_siman_solve_many in siman/siman.c. When params.n_tries > | > | | is negative, incorrect memory allocation occurs. > | > > | > Will do, and will try to coordinate with upstream who have not yet > | > reacted. The same two researchers also reported in the bug-gsl list in > | > September, no follow-up. [ Oh I see you have that message linked above > too. ] > | > | Right, the CVE popped up in todays new CVEs in the CVE feelds once we > | triaged the new CVEs. > | > | > | If you fix the vulnerability please also make sure to include the > | > | CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > | > > | > Will do. > | > | Thanks! > | > > | > | For further information see: > | > | > | > | [0] https://security-tracker.debian.org/tracker/CVE-2024-50610 > | > | https://www.cve.org/CVERecord?id=CVE-2024-50610 > | > | [1] https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html > | > | > | > | Please adjust the affected versions in the BTS as needed. > | > > | > I am a little fuzzy on that. The savannah link to the source file shows > that > | > siman.c has not been updated in years so I guess we would need to update > | > stable too? > | > | I have updated the meta-data with the control command above. About > | stable update: I do not think this warrants a security-update via a > | DSA, but if you have a fix for stable as well, it might be included in > | the next point release. This is happening on 9th November, and window > | for uploads to stable closing upcoming weekend, so if you have some > | spare cycles to prepare that update as well that would obviously be > | great. Otherwise I do not think the issue has much urgency (correct me > | if you think I'm wrong). > > I concur. It's a border line bug report, valid but IMHO no CVE level. I think > we can let stable rest. > > | https://lists.debian.org/debian-release/2024/10/msg00151.html > | > | > Then again, it's one of many (optional) optimization routines in GSL so > ... > | > But if the security team feels we need to update all versions I can look > into > | > that / help with that. Would be best to double-check with you or someone > | > else, I don't get to touch stable all that often and am likely rusty on > | > details. > | > | Again *if* you have spare cycles and can preare an update for stable > | to be included in the next point release, the following hilights the > | procedure: > | > | > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions > | > | Let me know if you need any other from me. > > That was perfect and very helpful, thank you. > > If we are in agreement over stable being fine as is, we should be done here > as I see it. Correct?
Ok, right we can otherwise just ignore the issue for stable, I will update the tracker accordingly. Regards, Salvatore
