Your message dated Sat, 07 Oct 2023 12:41:28 +0100 with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk> and subject line Closing opu requests for updates included in 11.8 has caused the Debian Bug report #1041475, regarding bullseye-pu: package hnswlib/0.4.0-3+deb11u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1041475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041475 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package hnswlib/0.4.0-3+deb11u1
- From: Étienne Mollier <emollier@debian.org>
- Date: Wed, 19 Jul 2023 13:20:03 +0200
- Message-id: <ZLfG45MN8a0AGQcc@fusion>
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: hnswlib@packages.debian.org Control: affects -1 + src:hnswlib Hi, [ Reason ] hnswlib is affected by CVE-2023-37365 marked no-dsa, documented through the important bug #1041426. Quoting the CVE for short: hnswlib has a double free in init_index when the M argument is a large integer. [ Impact ] Users of hnswlib may encounter double-free crashes when specifying randomly the M parameters to the software. [ Tests ] I verified the package built in a clean bullseye chroot, then verified there were no autopkgtest regressions in bullseye, then verified manualy that the reproducer did trigger the crash with the current version in bullseye, and finally that the patched version did not trigger the crash anymore, but instead raised the warning message appropriately. [ Risks ] There is little risk as the change is relatively straightforward but users who might like to set off-specifications values of the M parameter may run into the self imposed limitation. M is documented to have values that make sense in a range from 2 to 100, and the patch sets a hard limit at 10000 per upstream recommendation. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in oldstable [*] the issue is verified as fixed in unstable [ Changes ] Changes mostly consists in applying a version of the patch discussed with upstream[1] ported to hnswlib 0.4.0-3 in bullseye. Instead of forwarding the value of the argument M as-is, the code now checks for the value to be lesser than 10000 before applying. If the value is larger, then it is capped and the library issues a warning. [1]: https://github.com/nmslib/hnswlib/pull/484 [ Other info ] It might have made sense to also set a check for M == 1, as it will result in a crash, probably not as serious as the double free though: Traceback (most recent call last): File "<stdin>", line 1, in <module> RuntimeError: Not enough memory: addPoint failed to allocate linklist M == 0 looks to behave, or has a special meaning. In doubt, I prefer leaving as-is. I didn't notice lintian errors about the bullseye distribution, contrary to the bookworm side. Have a nice day, :) -- .''`. Étienne Mollier <emollier@debian.org> : :' : gpg: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/4, please excuse my verbosity `- on air: Mile Marker Zero - Reaping Tidediff -Nru hnswlib-0.4.0/debian/changelog hnswlib-0.4.0/debian/changelog --- hnswlib-0.4.0/debian/changelog 2020-11-10 23:06:36.000000000 +0100 +++ hnswlib-0.4.0/debian/changelog 2023-07-19 11:07:28.000000000 +0200 @@ -1,3 +1,12 @@ +hnswlib (0.4.0-3+deb11u1) bullseye; urgency=medium + + * Team upload. + * cve-2023-37365.patch: new: fix CVE-2023-37365. + This is done by capping M to 10000 per discussion with upstream. + (Closes: #1041426) + + -- Étienne Mollier <emollier@debian.org> Wed, 19 Jul 2023 11:07:28 +0200 + hnswlib (0.4.0-3) unstable; urgency=medium * Team Upload. diff -Nru hnswlib-0.4.0/debian/patches/cve-2023-37365.patch hnswlib-0.4.0/debian/patches/cve-2023-37365.patch --- hnswlib-0.4.0/debian/patches/cve-2023-37365.patch 1970-01-01 01:00:00.000000000 +0100 +++ hnswlib-0.4.0/debian/patches/cve-2023-37365.patch 2023-07-19 11:04:35.000000000 +0200 @@ -0,0 +1,40 @@ +Description: hnswalg.h: cap M to 10000 (CVE-2023-37365) + This patch works around issue nmslib#467, also referenced as CVE-2023-37365, + by implementing Yury Malkov's suggestion about capping the M value, + coding the maximum number of outgoing connections in the graph, to a + reasonable enough value of the order of 10000. For the record, the + documentation indicates reasonable values for M range from 2 to 100, + which are well within the cap; see ALGO_PARAMS.md. + . + The reproducer shown in issue nmslib#467 doesn't trigger the double free + condition anymore after this change is applied, but completes + successfully, although with the below warning popping up on purpose: + . + warning: M parameter exceeds 10000 which may lead to adverse effects. + Cap to 10000 will be applied for the rest of the processing. + +Author: Étienne Mollier <emollier@debian.org> +Bug: https://github.com/nmslib/hnswlib/issues/467 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426 +Forwarded: https://github.com/nmslib/hnswlib/pull/484 +Reviewed-by: Yury Malkov <yurymalkov@mail.ru> +Last-Update: 2023-07-19 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- hnswlib.orig/hnswlib/hnswalg.h ++++ hnswlib/hnswlib/hnswalg.h +@@ -34,7 +34,13 @@ + data_size_ = s->get_data_size(); + fstdistfunc_ = s->get_dist_func(); + dist_func_param_ = s->get_dist_func_param(); +- M_ = M; ++ if ( M <= 10000 ) { ++ M_ = M; ++ } else { ++ std::cerr << "warning: M parameter exceeds 10000 which may lead to adverse effects." << std::endl; ++ std::cerr << " Cap to 10000 will be applied for the rest of the processing." << std::endl; ++ M_ = 10000; ++ } + maxM_ = M_; + maxM0_ = M_ * 2; + ef_construction_ = std::max(ef_construction,M_); diff -Nru hnswlib-0.4.0/debian/patches/series hnswlib-0.4.0/debian/patches/series --- hnswlib-0.4.0/debian/patches/series 2020-11-10 23:06:16.000000000 +0100 +++ hnswlib-0.4.0/debian/patches/series 2023-07-19 11:04:05.000000000 +0200 @@ -2,3 +2,4 @@ noTwine.patch use-shared-while-linking.patch do-not-use-native-flags.patch +cve-2023-37365.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1007787-done@bugs.debian.org, 1007950-done@bugs.debian.org, 1013893-done@bugs.debian.org, 1028992-done@bugs.debian.org, 1032299-done@bugs.debian.org, 1034510-done@bugs.debian.org, 1034713-done@bugs.debian.org, 1034714-done@bugs.debian.org, 1034736-done@bugs.debian.org, 1035046-done@bugs.debian.org, 1035059-done@bugs.debian.org, 1035105-done@bugs.debian.org, 1035304-done@bugs.debian.org, 1035311-done@bugs.debian.org, 1035464-done@bugs.debian.org, 1035475-done@bugs.debian.org, 1035522-done@bugs.debian.org, 1035683-done@bugs.debian.org, 1035924-done@bugs.debian.org, 1036043-done@bugs.debian.org, 1036044-done@bugs.debian.org, 1036046-done@bugs.debian.org, 1036182-done@bugs.debian.org, 1036240-done@bugs.debian.org, 1036300-done@bugs.debian.org, 1036314-done@bugs.debian.org, 1036797-done@bugs.debian.org, 1036811-done@bugs.debian.org, 1036976-done@bugs.debian.org, 1037054-done@bugs.debian.org, 1037175-done@bugs.debian.org, 1037182-done@bugs.debian.org, 1037187-done@bugs.debian.org, 1037196-done@bugs.debian.org, 1037214-done@bugs.debian.org, 1037236-done@bugs.debian.org, 1038153-done@bugs.debian.org, 1038451-done@bugs.debian.org, 1038813-done@bugs.debian.org, 1038943-done@bugs.debian.org, 1039020-done@bugs.debian.org, 1039040-done@bugs.debian.org, 1039470-done@bugs.debian.org, 1039708-done@bugs.debian.org, 1039738-done@bugs.debian.org, 1039854-done@bugs.debian.org, 1039860-done@bugs.debian.org, 1039994-done@bugs.debian.org, 1040137-done@bugs.debian.org, 1040668-done@bugs.debian.org, 1040677-done@bugs.debian.org, 1040758-done@bugs.debian.org, 1040865-done@bugs.debian.org, 1040930-done@bugs.debian.org, 1040950-done@bugs.debian.org, 1041397-done@bugs.debian.org, 1041475-done@bugs.debian.org, 1042057-done@bugs.debian.org, 1043270-done@bugs.debian.org, 1049374-done@bugs.debian.org, 1050044-done@bugs.debian.org, 1050119-done@bugs.debian.org, 1050121-done@bugs.debian.org, 1050332-done@bugs.debian.org, 1050333-done@bugs.debian.org, 1050538-done@bugs.debian.org, 1050573-done@bugs.debian.org, 1050638-done@bugs.debian.org, 1051051-done@bugs.debian.org, 1051339-done@bugs.debian.org, 1051508-done@bugs.debian.org, 1051884-done@bugs.debian.org, 1051902-done@bugs.debian.org, 1051937-done@bugs.debian.org, 1052027-done@bugs.debian.org, 1052082-done@bugs.debian.org, 1052150-done@bugs.debian.org, 1052222-done@bugs.debian.org, 1052288-done@bugs.debian.org, 1052363-done@bugs.debian.org, 1052402-done@bugs.debian.org, 1052420-done@bugs.debian.org, 1052552-done@bugs.debian.org, 1052611-done@bugs.debian.org, 1053177-done@bugs.debian.org, 1053220-done@bugs.debian.org, 1053240-done@bugs.debian.org, 1053270-done@bugs.debian.org, 1053271-done@bugs.debian.org, 1053290-done@bugs.debian.org, 1053522-done@bugs.debian.org
- Subject: Closing opu requests for updates included in 11.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Oct 2023 12:41:28 +0100
- Message-id: <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.8 Hi, The updates referred to by each of these requests were included in today's 11.8 bullseye point release. Regards, Adam
--- End Message ---