Hi Salvatore,
Looks like we emailed concurrently :) (or concurrently enough for my batched mail setup). On 26 September 2023 at 14:19, Salvatore Bonaccorso wrote: | Hi Dirk, | | On Tue, Sep 26, 2023 at 06:54:31AM -0500, Dirk Eddelbuettel wrote: | > | > On 25 September 2023 at 20:58, Salvatore Bonaccorso wrote: | > | Source: gsl | > | Version: 2.7.1+dfsg-5 | > ^^^^^^^^^^^^ | > | Severity: important | > | Tags: security upstream | > | Forwarded: https://savannah.gnu.org/bugs/?59624 | > | X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> | > | Control: found -1 2.6+dfsg-2 | > | | > | Hi, | > | | > | The following vulnerability was published for gsl. | > | | > | CVE-2020-35357[0]: | > | | A buffer overflow can occur when calculating the quantile value | > | | using the Statistics Library of GSL (GNU Scientific Library), | > | | versions 2.5 and 2.6. Processing a maliciously crafted input data | > ^^^^^^^^^^^^ | > | > I presume this is still true? Is the '2020' in the CVE for the year this is from? | | I did check the source and unless I did a mistake in checking then yes | the issue is unfixed up to 2.7.1+dfsg-5 yet, and [2] applies. I found (thanks to your diligent links) the better upstream fix that will be in 2.8 and used that. | > [ I see now at [0] that is spreads 2.6 and 2.7. Out of curiousity, who did | > the fix for buster (security) and when ? ] | | For buster: https://tracker.debian.org/news/1465169/accepted-gsl-25dfsg-6deb10u1-source-into-oldoldstable/ Ack. And that was only days ago so I wasn't asleep at the wheel here. | > | | for gsl_stats_quantile_from_sorted_data of the library may lead to | > | | unexpected application termination or arbitrary code execution. | > | | > | | > | If you fix the vulnerability please also make sure to include the | > | CVE (Common Vulnerabilities & Exposures) id in your changelog entry. | > | > I'll try. I think this is only the second CVE case in my nearly 30 years in Debian. | | Thanks. Note the issue does not really warrant a DSA, I had two goals Agreed. | with filling the bug: make you aware of the CVE assignment so the | issue can be fixed first in unstable and the fix land in trixie. For | bookworm and bullseye if you have spare cycles the fix might land in a | point release (there is one upcoming, but the window for uploads | closing the upcoming weekend). I am a bit on the fence as to whether it is needed but I suppose the change in -6 would apply 'as is'. | > So the debian/changelog entry needs to contain the string 'CVE-2020-35357' -- correct? | | Yes that is good. Perfect. I used that. Cheers, Dirk -- dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
