Hi Salvatore,
On 28 October 2024 at 21:55, Salvatore Bonaccorso wrote: | Source: gsl | Version: 2.8+dfsg-3 | Severity: important | Tags: security upstream | Forwarded: https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html | X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> | | Hi, | | The following vulnerability was published for gsl. | | CVE-2024-50610[0]: | | GSL (GNU Scientific Library) through 2.8 has an integer signedness | | error in gsl_siman_solve_many in siman/siman.c. When params.n_tries | | is negative, incorrect memory allocation occurs. Will do, and will try to coordinate with upstream who have not yet reacted. The same two researchers also reported in the bug-gsl list in September, no follow-up. [ Oh I see you have that message linked above too. ] | If you fix the vulnerability please also make sure to include the | CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Will do. | For further information see: | | [0] https://security-tracker.debian.org/tracker/CVE-2024-50610 | https://www.cve.org/CVERecord?id=CVE-2024-50610 | [1] https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html | | Please adjust the affected versions in the BTS as needed. I am a little fuzzy on that. The savannah link to the source file shows that siman.c has not been updated in years so I guess we would need to update stable too? Then again, it's one of many (optional) optimization routines in GSL so ... But if the security team feels we need to update all versions I can look into that / help with that. Would be best to double-check with you or someone else, I don't get to touch stable all that often and am likely rusty on details. Cheers, Dirk -- dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
