On 25 September 2023 at 20:58, Salvatore Bonaccorso wrote: | Source: gsl | Version: 2.7.1+dfsg-5 ^^^^^^^^^^^^ | Severity: important | Tags: security upstream | Forwarded: https://savannah.gnu.org/bugs/?59624 | X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> | Control: found -1 2.6+dfsg-2 | | Hi, | | The following vulnerability was published for gsl. | | CVE-2020-35357[0]: | | A buffer overflow can occur when calculating the quantile value | | using the Statistics Library of GSL (GNU Scientific Library), | | versions 2.5 and 2.6. Processing a maliciously crafted input data ^^^^^^^^^^^^
I presume this is still true? Is the '2020' in the CVE for the year this is from? [ I see now at [0] that is spreads 2.6 and 2.7. Out of curiousity, who did the fix for buster (security) and when ? ] | | for gsl_stats_quantile_from_sorted_data of the library may lead to | | unexpected application termination or arbitrary code execution. | | | If you fix the vulnerability please also make sure to include the | CVE (Common Vulnerabilities & Exposures) id in your changelog entry. I'll try. I think this is only the second CVE case in my nearly 30 years in Debian. So the debian/changelog entry needs to contain the string 'CVE-2020-35357' -- correct? Dirk | For further information see: | | [0] https://security-tracker.debian.org/tracker/CVE-2020-35357 | https://www.cve.org/CVERecord?id=CVE-2020-35357 | [1] https://savannah.gnu.org/bugs/?59624 | [2] https://git.savannah.gnu.org/cgit/gsl.git/commit/?id=989a193268b963aa1047814f7f1402084fb7d859 | | Regards, | Salvatore -- dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org