Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: hnsw...@packages.debian.org
Control: affects -1 + src:hnswlib
Hi Stable Release Managers,
[ Reason ]
hnswlib is affected by CVE-2023-37365 marked no-dsa, documented
through the important bug #1041426. Quoting the CVE for short:
hnswlib has a double free in init_index when the M argument is a
large integer.
[ Impact ]
Users of hnswlib may encounter double-free crashes when
specifying randomly the M parameters to the software.
[ Tests ]
I verified the package built in a clean bookworm chroot, then
verified there were no autopkgtest regressions in bookworm, then
verified manualy that the reproducer did trigger the crash with
the current version in bookworm, and finally that the patched
version did not trigger the crash anymore, but instead raised
the warning message appropriately.
[ Risks ]
There is little risk as the change is relatively straightforward
but users who might like to set off-specifications values of the
M parameter may run into the self imposed limitation. M is
documented to have values that make sense in a range from 2 to
100, and the patch sets a hard limit at 1 per upstream
recommendation.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in stable
[*] the issue is verified as fixed in unstable
[ Changes ]
Changes mostly consists in applying a version of the patch
discussed with upstream[1] ported to hnswlib 0.6.2-2 in
bookworm. Instead of forwarding the value of the argument M
as-is, the code now checks for the value to be lesser than 1
before applying. If the value is larger, then it is capped and
the library issues a warning.
[1]: https://github.com/nmslib/hnswlib/pull/484
[ Other info ]
It might have made sense to also set a check for M == 1, as it
will result in a crash, probably not as serious as the double
free though:
Traceback (most recent call last):
File "", line 1, in
RuntimeError: Not enough memory: addPoint failed to allocate linklist
M == 0 looks to behave, or has a special meaning. In doubt, I
prefer leaving as-is.
Last info, lintian loudly complained at the distribution field,
but looking at the Developer Reference, the field seemed good,
so if there is anything I need to change, don't hesitate to
tell:
E: hnswlib changes: bad-distribution-in-changes-file bookworm
Have a nice day, :)
--
.''`. Étienne Mollier
: :' : gpg: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/4, please excuse my verbosity
`-on air: Chroma Key - Human Love
diff -Nru hnswlib-0.6.2/debian/changelog hnswlib-0.6.2/debian/changelog
--- hnswlib-0.6.2/debian/changelog 2022-10-12 16:11:36.0 +0200
+++ hnswlib-0.6.2/debian/changelog 2023-07-19 10:27:07.0 +0200
@@ -1,3 +1,12 @@
+hnswlib (0.6.2-2+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * cve-2023-37365.patch: new: fix CVE-2023-37365.
+This is done by capping M to 1 per discussion with upstream.
+(Closes: #1041426)
+
+ -- Étienne Mollier Wed, 19 Jul 2023 10:27:07 +0200
+
hnswlib (0.6.2-2) unstable; urgency=medium
* Team upload.
diff -Nru hnswlib-0.6.2/debian/patches/cve-2023-37365.patch
hnswlib-0.6.2/debian/patches/cve-2023-37365.patch
--- hnswlib-0.6.2/debian/patches/cve-2023-37365.patch 1970-01-01
01:00:00.0 +0100
+++ hnswlib-0.6.2/debian/patches/cve-2023-37365.patch 2023-07-19
10:24:55.0 +0200
@@ -0,0 +1,40 @@
+Description: hnswalg.h: cap M to 1 (CVE-2023-37365)
+ This patch works around issue nmslib#467, also referenced as CVE-2023-37365,
+ by implementing Yury Malkov's suggestion about capping the M value,
+ coding the maximum number of outgoing connections in the graph, to a
+ reasonable enough value of the order of 1. For the record, the
+ documentation indicates reasonable values for M range from 2 to 100,
+ which are well within the cap; see ALGO_PARAMS.md.
+ .
+ The reproducer shown in issue nmslib#467 doesn't trigger the double free
+ condition anymore after this change is applied, but completes
+ successfully, although with the below warning popping up on purpose:
+ .
+ warning: M parameter exceeds 1 which may lead to adverse effects.
+ Cap to 1 will be applied for the rest of the processing.
+
+Author: Étienne Mollier
+Bug: https://github.com/nmslib/hnswlib/issues/467
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426
+Forwarded: https://github.com/nmslib/hnswlib/pull/484
+Reviewed-by: Yury Malkov
+Last-Update: 2023-07-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- hnswlib.orig/hnswlib/hnswalg.h
hnswlib/hnswlib/hnswalg.h
+@@ -33,7 +33,13 @@
+ data_size_ = s->get_data_size();
+ fstdistfunc_ = s->get_dist_func();
+
