Étienne Mollier pushed to branch master at Debian Med / hnswlib
Commits: 1b778ce2 by Étienne Mollier at 2023-07-19T09:01:06+02:00 cve-2023-37365.patch: new: fix CVE-2023-37365. This is done by capping M to 10000 per discussion with upstream. Closes: #1041426 - - - - - 926f0cbc by Étienne Mollier at 2023-07-19T09:33:13+02:00 d/t/run-unit-test: adjust to new source layout. - - - - - 76e7af32 by Étienne Mollier at 2023-07-19T09:34:21+02:00 update changelog. - - - - - 604fee24 by Étienne Mollier at 2023-07-19T09:35:12+02:00 d/copyright: update reference to sift_1b.cpp. - - - - - ca8e523a by Étienne Mollier at 2023-07-19T09:42:56+02:00 d/t/run-unit-test: test agains all supported python3 versions. - - - - - d898b51d by Étienne Mollier at 2023-07-19T09:43:45+02:00 d/control: add myself to uploaders. - - - - - 0c719495 by Étienne Mollier at 2023-07-19T09:44:37+02:00 ready to upload to unstable. - - - - - 6 changed files: - debian/changelog - debian/control - debian/copyright - + debian/patches/cve-2023-37365.patch - debian/patches/series - debian/tests/run-unit-test Changes: ===================================== debian/changelog ===================================== @@ -1,11 +1,19 @@ -hnswlib (0.7.0-1) UNRELEASED; urgency=medium +hnswlib (0.7.0-1) unstable; urgency=medium - * Team upload. + [ Andreas Tille ] * New upstream version * Standards-Version: 4.6.2 (routine-update) - TODO: Check autopkgtest - -- Andreas Tille <[email protected]> Wed, 12 Jul 2023 21:37:27 +0200 + [ Étienne Mollier ] + * cve-2023-37365.patch: new: fix CVE-2023-37365. + This is done by capping M to 10000 per discussion with upstream. + (Closes: #1041426) + * d/t/run-unit-test: adjust to new source layout. + * d/copyright: update reference to sift_1b.cpp. + * d/t/run-unit-test: test agains all supported python3 versions. + * d/control: add myself to uploaders. + + -- Étienne Mollier <[email protected]> Wed, 19 Jul 2023 09:44:03 +0200 hnswlib (0.6.2-2) unstable; urgency=medium ===================================== debian/control ===================================== @@ -2,7 +2,8 @@ Source: hnswlib Section: science Priority: optional Maintainer: Debian Med Packaging Team <[email protected]> -Uploaders: Steffen Moeller <[email protected]> +Uploaders: Steffen Moeller <[email protected]>, + Étienne Mollier <[email protected]> Build-Depends: debhelper-compat (= 13), dh-python, python3-all-dev, ===================================== debian/copyright ===================================== @@ -11,7 +11,7 @@ Copyright: Yury Malkov Louis Abraham ([@louisabraham](https://github.com/louisabraham)) License: Apache-2.0 -Files: sift_1b.cpp +Files: tests/cpp/sift_1b.cpp Copyright: David Robert Nadeau Comment: The code is available at http://NadeauSoftware.com/ License: CC-BY-3.0 ===================================== debian/patches/cve-2023-37365.patch ===================================== @@ -0,0 +1,40 @@ +Description: hnswalg.h: cap M to 10000 (CVE-2023-37365) + This patch works around issue nmslib#467, also referenced as CVE-2023-37365, + by implementing Yury Malkov's suggestion about capping the M value, + coding the maximum number of outgoing connections in the graph, to a + reasonable enough value of the order of 10000. For the record, the + documentation indicates reasonable values for M range from 2 to 100, + which are well within the cap; see ALGO_PARAMS.md. + . + The reproducer shown in issue nmslib#467 doesn't trigger the double free + condition anymore after this change is applied, but completes + successfully, although with the below warning popping up on purpose: + . + warning: M parameter exceeds 10000 which may lead to adverse effects. + Cap to 10000 will be applied for the rest of the processing. + +Author: Étienne Mollier <[email protected]> +Bug: https://github.com/nmslib/hnswlib/issues/467 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426 +Forwarded: https://github.com/nmslib/hnswlib/pull/484 +Reviewed-by: Yury Malkov <[email protected]> +Last-Update: 2023-07-19 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- hnswlib.orig/hnswlib/hnswalg.h ++++ hnswlib/hnswlib/hnswalg.h +@@ -102,7 +102,13 @@ + data_size_ = s->get_data_size(); + fstdistfunc_ = s->get_dist_func(); + dist_func_param_ = s->get_dist_func_param(); +- M_ = M; ++ if ( M <= 10000 ) { ++ M_ = M; ++ } else { ++ std::cerr << "warning: M parameter exceeds 10000 which may lead to adverse effects." << std::endl; ++ std::cerr << " Cap to 10000 will be applied for the rest of the processing." << std::endl; ++ M_ = 10000; ++ } + maxM_ = M_; + maxM0_ = M_ * 2; + ef_construction_ = std::max(ef_construction, M_); ===================================== debian/patches/series ===================================== @@ -2,3 +2,4 @@ cassert.patch noTwine.patch use-shared-while-linking.patch do-not-use-native-flags.patch +cve-2023-37365.patch ===================================== debian/tests/run-unit-test ===================================== @@ -11,7 +11,13 @@ if [ "${AUTOPKGTEST_TMP}" = "" ] ; then fi cp -a ${CUR_DIR}/python_bindings/* "${AUTOPKGTEST_TMP}" +cp -r ${CUR_DIR}/tests "${AUTOPKGTEST_TMP}" cd "${AUTOPKGTEST_TMP}" -python3 -m unittest -v tests/* - +for python3 in $(py3versions --supported) +do + $python3 -m unittest discover \ + --start-directory tests/python \ + --pattern "bindings_test*.py" \ + -v +done View it on GitLab: https://salsa.debian.org/med-team/hnswlib/-/compare/49b2c03518ad486fb65eef8b4560b682749adc5e...0c719495d411e91d3092f6598154d37cf00092a9 -- View it on GitLab: https://salsa.debian.org/med-team/hnswlib/-/compare/49b2c03518ad486fb65eef8b4560b682749adc5e...0c719495d411e91d3092f6598154d37cf00092a9 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-med-commit mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
