[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108368: marked as done (llama.cpp: CVE-2025-52566)

Your message dated Fri, 27 Jun 2025 06:34:07 +0000
with message-id <E1uV2f1-005TK0-N0@fasolo.debian.org>
and subject line Bug#1108368: fixed in llama.cpp 5760+dfsg-1
has caused the Debian Bug report #1108368,
regarding llama.cpp: CVE-2025-52566
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108368: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108368
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: llama.cpp
Version: 5713+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for llama.cpp.

CVE-2025-52566[0]:
| llama.cpp is an inference of several LLM models in C/C++. Prior to
| version b5721, there is a signed vs. unsigned integer overflow in
| llama.cpp's tokenizer implementation (llama_vocab::tokenize)
| (src/llama-vocab.cpp:3036) resulting in unintended behavior in
| tokens copying size comparison. Allowing heap-overflowing llama.cpp
| inferencing engine with carefully manipulated text input during
| tokenization process. This issue has been patched in version b5721.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-52566
    https://www.cve.org/CVERecord?id=CVE-2025-52566
[1] https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-7rxv-5jhh-j6xx
[2] https://github.com/ggml-org/llama.cpp/commit/dd6e6d0b6a4bbe3ebfc931d1eb14db2f2b1d70af

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: llama.cpp
Source-Version: 5760+dfsg-1
Done: Christian Kastner <ckk@debian.org>

We believe that the bug you reported is fixed in the latest version of
llama.cpp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108368@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Kastner <ckk@debian.org> (supplier of updated llama.cpp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 27 Jun 2025 07:55:00 +0200
Source: llama.cpp
Architecture: source
Version: 5760+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Deep Learning Team <debian-ai@lists.debian.org>
Changed-By: Christian Kastner <ckk@debian.org>
Closes: 1108368
Changes:
 llama.cpp (5760+dfsg-1) unstable; urgency=medium
 .
   * New upstream version 5760+dfsg (Closes: #1108368)
     - Includes a fix for CVE-2025-52566
   * Refactor/add missing copyrights for vendored code
   * Refresh patches
Checksums-Sha1:
 7446b3898a3f66a4472cc2ac97823dd99253552a 2010 llama.cpp_5760+dfsg-1.dsc
 382cf0de1ea76392d3f6e8fe035d764f2d0bf473 4916412 llama.cpp_5760+dfsg.orig.tar.xz
 ab2ec66a3c0e0053f59c0c85e1888c34d36dd93e 9100 llama.cpp_5760+dfsg-1.debian.tar.xz
 2a8a0a470c9220e0f35452e4594b088fc6a9cc78 6823 llama.cpp_5760+dfsg-1_source.buildinfo
Checksums-Sha256:
 240a3feae38a73ae870657342a0a62ce39ffe91cc628bee7fd0a52179f320094 2010 llama.cpp_5760+dfsg-1.dsc
 9970b00f8ab7b3ce0acbf890e1ba481059468a7353286a932023a22cbbec8c0a 4916412 llama.cpp_5760+dfsg.orig.tar.xz
 77a70044815c87e95da9c8e4ae776ad8a5ba533d3a6b01e32141d85e41706367 9100 llama.cpp_5760+dfsg-1.debian.tar.xz
 fc42538fa6b65c9e322778901f696e2426c69a45853f6b87d017d19b304deefa 6823 llama.cpp_5760+dfsg-1_source.buildinfo
Files:
 d254ffd252e1534dcc2e01d9b7abad70 2010 science optional llama.cpp_5760+dfsg-1.dsc
 1f04ac7eb903fe174f84f2a02d4e5c57 4916412 science optional llama.cpp_5760+dfsg.orig.tar.xz
 50416fe2749c4747664ad9d2338970ed 9100 science optional llama.cpp_5760+dfsg-1.debian.tar.xz
 86c420e1f36890cf98eb62ca76e47f76 6823 science optional llama.cpp_5760+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEQZ9+mkfDq5UZ8bCjOZU6N95Os2sFAmheOUAACgkQOZU6N95O
s2tksRAAqq6vkOkzWNGfmQq4/Moz6czMhoJGiCbZKEz+SMlEcSnvi/IJb9xI/EMS
eYZJNeEMjif/tteCCzapNAUrsCAommIQpA2rvB2CqvC3ieTBWonQnUfwIM2ol1gY
i/g/2zjAF9xrmTDah4orherE1IwTYvdvckGDqIdDpSx786zs5GrV3BmDfatdfMlO
rn4HG6XYE30dldFUdJxH+c1GKrnfnwHIaw5lDodYMYSTdxeYgWISEYHoBg+6ijSp
lmUvuksCpp3SIYjWu5cSA76nd73lullHOC8v/7+FLPoyceCoL3heeQsy/nTmT5he
0VPdVk+jM2igLan9bDGBg4EU95Z5DYNho+mmaSP+Z8VMOWh5XC/PfOinv9uFADG4
qDEg7XyE3PhpGIfL1NaGyg/Igr35aMWw8klkXmSjGNBWvRzFk+00GLb1DFNUURFY
V2d0ko18MsTCSG/4thMJqQSRCBsp+0QkQ+SwfC8+LXItyF86iIWmtxLn6rW95Eug
LyAy29cxErV6PmGqW88qA8Gzb6MssU4f7w8cPfPWbm3FQAIPCRxVEjq+HYofTqeM
if6M1a4ZJmu4dJ4TSqhvG/2lF49/bDSCQxqhDL/Yboz+o/LiEx/cqfkqkh8agfed
GPgQI/ROdEsbk6xnuYxX0SRsMjG/iQBXFqqeQLtuzVD60crMqqY=
=kj7R
-----END PGP SIGNATURE-----

Attachment: pgp_H1FCJO6zp.pgp
Description: PGP signature


--- End Message ---
Reply to: