Control: found -1 2.7.1+dfsg-5 Hi Dirk,
Impresinve response time ;-) On Mon, Oct 28, 2024 at 04:12:56PM -0500, Dirk Eddelbuettel wrote: > > Hi Salvatore, > > On 28 October 2024 at 21:55, Salvatore Bonaccorso wrote: > | Source: gsl > | Version: 2.8+dfsg-3 > | Severity: important > | Tags: security upstream > | Forwarded: https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html > | X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > | > | Hi, > | > | The following vulnerability was published for gsl. > | > | CVE-2024-50610[0]: > | | GSL (GNU Scientific Library) through 2.8 has an integer signedness > | | error in gsl_siman_solve_many in siman/siman.c. When params.n_tries > | | is negative, incorrect memory allocation occurs. > > Will do, and will try to coordinate with upstream who have not yet > reacted. The same two researchers also reported in the bug-gsl list in > September, no follow-up. [ Oh I see you have that message linked above too. ] Right, the CVE popped up in todays new CVEs in the CVE feelds once we triaged the new CVEs. > | If you fix the vulnerability please also make sure to include the > | CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Will do. Thanks! > > | For further information see: > | > | [0] https://security-tracker.debian.org/tracker/CVE-2024-50610 > | https://www.cve.org/CVERecord?id=CVE-2024-50610 > | [1] https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html > | > | Please adjust the affected versions in the BTS as needed. > > I am a little fuzzy on that. The savannah link to the source file shows that > siman.c has not been updated in years so I guess we would need to update > stable too? I have updated the meta-data with the control command above. About stable update: I do not think this warrants a security-update via a DSA, but if you have a fix for stable as well, it might be included in the next point release. This is happening on 9th November, and window for uploads to stable closing upcoming weekend, so if you have some spare cycles to prepare that update as well that would obviously be great. Otherwise I do not think the issue has much urgency (correct me if you think I'm wrong). https://lists.debian.org/debian-release/2024/10/msg00151.html > Then again, it's one of many (optional) optimization routines in GSL so ... > But if the security team feels we need to update all versions I can look into > that / help with that. Would be best to double-check with you or someone > else, I don't get to touch stable all that often and am likely rusty on > details. Again *if* you have spare cycles and can preare an update for stable to be included in the next point release, the following hilights the procedure: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions Let me know if you need any other from me. Regards, Salvatore
