On 25 September 2023 at 20:58, Salvatore Bonaccorso wrote:
| Source: gsl
| Version: 2.7.1+dfsg-5
^^^^^^^^^^^^
| Severity: important
| Tags: security upstream
| Forwarded: https://savannah.gnu.org/bugs/?59624
| X-Debbugs-Cc: car...@debian.org, Debian Security Team
<t...@security.debian.org>
| Control: found -1 2.6+dfsg-2
|
| Hi,
|
| The following vulnerability was published for gsl.
|
| CVE-2020-35357[0]:
| | A buffer overflow can occur when calculating the quantile value
| | using the Statistics Library of GSL (GNU Scientific Library),
| | versions 2.5 and 2.6. Processing a maliciously crafted input data
^^^^^^^^^^^^
I presume this is still true? Is the '2020' in the CVE for the year this is
from?
[ I see now at [0] that is spreads 2.6 and 2.7. Out of curiousity, who did
the fix for buster (security) and when ? ]
| | for gsl_stats_quantile_from_sorted_data of the library may lead to
| | unexpected application termination or arbitrary code execution.
|
|
| If you fix the vulnerability please also make sure to include the
| CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I'll try. I think this is only the second CVE case in my nearly 30 years in
Debian.
So the debian/changelog entry needs to contain the string 'CVE-2020-35357' --
correct?
Dirk
| For further information see:
|
| [0] https://security-tracker.debian.org/tracker/CVE-2020-35357
| https://www.cve.org/CVERecord?id=CVE-2020-35357
| [1] https://savannah.gnu.org/bugs/?59624
| [2]
https://git.savannah.gnu.org/cgit/gsl.git/commit/?id=989a193268b963aa1047814f7f1402084fb7d859
|
| Regards,
| Salvatore
--
dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
