Debian Bug report logs -
#1001902
lapack: CVE-2021-4048
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#1001902; Package src:lapack.
(Sat, 18 Dec 2021 17:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>.
(Sat, 18 Dec 2021 17:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lapack
Version: 3.10.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/Reference-LAPACK/lapack/pull/625
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for lapack.
CVE-2021-4048[0]:
| An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV,
| and ZLARRV functions in lapack through version 3.10.0, as also used in
| OpenBLAS before version 0.3.18. Specially crafted inputs passed to
| these functions could cause an application using lapack to crash or
| possibly disclose portions of its memory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-4048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4048
[1] https://github.com/Reference-LAPACK/lapack/pull/625
[2] https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Anton Gladky <gladk@debian.org>:
You have taken responsibility.
(Sat, 18 Dec 2021 18:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Dec 2021 18:51:07 GMT) (full text, mbox, link).
Message #10 received at 1001902-close@bugs.debian.org (full text, mbox, reply):
Source: lapack
Source-Version: 3.10.0-2
Done: Anton Gladky <gladk@debian.org>
We believe that the bug you reported is fixed in the latest version of
lapack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1001902@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated lapack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Dec 2021 19:02:36 +0100
Source: lapack
Architecture: source
Version: 3.10.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Closes: 1001902
Changes:
lapack (3.10.0-2) unstable; urgency=medium
.
* Team upload.
* [8d2c868] CVE-2021-4048. Fix out-of-bounds read flaw. (Closes: #1001902)
* [3977090] Trim trailing whitespace.
* [3a33ecf] Use secure URI in Homepage field.
* [4c1aef3] Update renamed lintian tag names in lintian overrides.
* [409fef7] Apply cme fix dpkg
Checksums-Sha1:
0b975814ec94d8c73d492c365c1f5888348a4b8d 3367 lapack_3.10.0-2.dsc
cf861b0eb80610f201db0b199f65ee3203b3cfdc 28892 lapack_3.10.0-2.debian.tar.xz
d9f268d9712acfbcb263a9672eb57234b1df9933 6339 lapack_3.10.0-2_source.buildinfo
Checksums-Sha256:
31f1c05d4d90534a77b9ce0476fad5edcfdac3bb23b23c4665603a1a1b85f877 3367 lapack_3.10.0-2.dsc
884a5f1322652ba954d81643d945c804edbad1f5b8d4ce4f85d49ba646ec19cf 28892 lapack_3.10.0-2.debian.tar.xz
2834163c53d062f0a622d0ed44b08ba97e98c2fa12af58d94d359ff0aa28763c 6339 lapack_3.10.0-2_source.buildinfo
Files:
d91fe7597d7ae9bd7706f48f02906c5c 3367 libs optional lapack_3.10.0-2.dsc
8fab3769329f0e9cca65d7e085c6c4ae 28892 libs optional lapack_3.10.0-2.debian.tar.xz
b030dcb6ad852a435eb6fe564c28af12 6339 libs optional lapack_3.10.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmG+K8UACgkQ0+Fzg8+n
/wZZuA//WcEop8M46Tj4x2qkeAQs/1KFCmJkWBICgETnBAxLGhHItCvwduC68sho
uVNGtVflR66ndv65oPcmuY2NIKkfgA+y5Nna8ktxqpsd9BdxpqaV4cwgSju9LpIn
h8JhLK4y6tasQh4KTPpGYyoGPPhoI9jDXWMHkF2MDMl52AS3q3XWO1ilJ5tiWm82
SKLooe6sMVUXG457k1AUG3jng2qnvuEE5kku/dmdkyLkjlRUDc6bP/p/5QipxHc7
jY20Z1yPokaIalUMqv9RjLIFuyVlXsU7KQWSL9+cVbyV9rvF/OA13vnIGlxtPrhf
uZfte7pnTj2bk08nkubzMOa+UMf7Bxy9HudOoWPGA3jSM43clcCdmxe4s9MY/cqi
da4uQw1uxWKWJbYdM2sM+FxE4rz/+KoyaDBoZuKBevLOsx2aC8fIZRXVZWdn/m6w
inMlWhixWAa412sVtO5IOw4B3iZQDeodFqv9p8B25kTr6YgCX7Ryd1yXlePwMowl
tbl0K1LjoZp/r3kCIJz+6svG2w9Exommx7tVcX2sRb9hGr9dV9Vq/ORWaaF3AoxB
rh4zx/ErCgw5ODMUH27+lGIAK0wtbEaclYkdzdPBsD96rx2IyYxSJ8fX+nUNARBJ
fp5amK57B1LooA+D+fqZ5AtSrReMtaaJqhnjjwLr0vV1al6zXTM=
=apkb
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Dec 19 14:40:00 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon