Bug#1102135: marked as done (bookworm-pu: package abseil/20220623.1-1+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 17 May 2025 09:37:57 +0000
with message-id <E1uGDzR-005KGA-9i@coccia.debian.org>
and subject line Close 1102135
has caused the Debian Bug report #1102135,
regarding bookworm-pu: package abseil/20220623.1-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1102135: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102135
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package abseil/20220623.1-1+deb12u1
• From: Tobias Frost <tobi@debian.org>
• Date: Sat, 05 Apr 2025 16:25:51 +0200
• Message-id: <174386315165.474037.16280830826169088919.reportbug@isildor2.loewenhoehle.ip>

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: abseil@packages.debian.org, abseil@packages.debian.org
Control: affects -1 + src:abseil
User: release.debian.org@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]

This is a backport for the fix for CVE-2025-0838, which I've previously
fixed for sid (#1098903) and for LTS (DLA-4116-1).

To close the gap for bookworm, I'd like to s-p-u the package.

[ Impact ]

Users upgrading from bullseye to bookworm will have regression in
terms of this vulnerbility.

[ Tests ]

The source package comes with a test suite, the vulnerablity has also
its own test suite.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Backport of the upstream patch, origin:
https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1

diff -Nru abseil-20220623.1/debian/changelog abseil-20220623.1/debian/changelog
--- abseil-20220623.1/debian/changelog	2022-10-18 16:02:49.000000000 +0200
+++ abseil-20220623.1/debian/changelog	2025-04-05 16:09:38.000000000 +0200
@@ -1,3 +1,11 @@
+abseil (20220623.1-1+deb12u1) bookworm; urgency=medium
+
+  * Non maintainer upload by the LTS Team.
+  * Backport fix for CVE-2025-0838 - Heap buffer overflow vulnerablity
+    (Closes: #1098903) 
+
+ -- Tobias Frost <tobi@debian.org>  Sat, 05 Apr 2025 16:09:38 +0200
+
 abseil (20220623.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru abseil-20220623.1/debian/patches/CVE-2025-0838.patch abseil-20220623.1/debian/patches/CVE-2025-0838.patch
--- abseil-20220623.1/debian/patches/CVE-2025-0838.patch	1970-01-01 01:00:00.000000000 +0100
+++ abseil-20220623.1/debian/patches/CVE-2025-0838.patch	2025-04-05 16:09:32.000000000 +0200
@@ -0,0 +1,162 @@
+Description: CVE-2025-0838 - Heap buffer overflow vulnerable in Abseil-cpp
+ Backported for bookworm from upstream.
+Origin: https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098903
+
+From 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 Mon Sep 17 00:00:00 2001
+From: Derek Mauro <dmauro@google.com>
+Date: Thu, 23 Jan 2025 06:33:43 -0800
+Subject: [PATCH] Fix potential integer overflow in hash container
+ create/resize
+
+The sized constructors, reserve(), and rehash() methods of
+absl::{flat,node}_hash_{set,map} did not impose an upper bound on
+their size argument. As a result, it was possible for a caller to pass
+a very large size that would cause an integer overflow when computing
+the size of the container's backing store. Subsequent accesses to the
+container might then access out-of-bounds memory.
+
+The fix is in two parts:
+
+1) Update max_size() to return the maximum number of items that can be
+stored in the container
+
+2) Validate the size arguments to the constructors, reserve(), and
+rehash() methods, and abort the program when the argument is invalid
+
+We've looked at uses of these containers in Google codebases like
+Chrome, and determined this vulnerability is likely to be difficult to
+exploit. This is primarily because container sizes are rarely
+attacker-controlled.
+
+The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
+
+PiperOrigin-RevId: 718841870
+Change-Id: Ic09dc9de140a35dbb45ab9d90f58383cf2de8286
+---
+ absl/container/internal/raw_hash_set.cc      |  5 ++++
+ absl/container/internal/raw_hash_set.h       | 26 +++++++++++++++++++-
+ absl/container/internal/raw_hash_set_test.cc |  8 ++++++
+ 3 files changed, 38 insertions(+), 1 deletion(-)
+
+--- a/absl/container/internal/raw_hash_set.cc
++++ b/absl/container/internal/raw_hash_set.cc
+@@ -13,6 +13,7 @@
+ // limitations under the License.
+ 
+ #include "absl/container/internal/raw_hash_set.h"
++#include "absl/base/internal/raw_logging.h"
+ 
+ #include <atomic>
+ #include <cstddef>
+@@ -66,6 +67,10 @@
+ // Extern template instantiotion for inline function.
+ template FindInfo find_first_non_full(const ctrl_t*, size_t, size_t);
+ 
++void HashTableSizeOverflow() {
++  ABSL_RAW_LOG(FATAL, "Hash table size overflow");
++}
++
+ }  // namespace container_internal
+ ABSL_NAMESPACE_END
+ }  // namespace absl
+--- a/absl/container/internal/raw_hash_set.h
++++ b/absl/container/internal/raw_hash_set.h
+@@ -219,6 +219,15 @@
+ ABSL_NAMESPACE_BEGIN
+ namespace container_internal {
+ 
++#ifdef ABSL_SWISSTABLE_ASSERT
++#error ABSL_SWISSTABLE_ASSERT cannot be directly set
++#else
++// We use this macro for assertions that users may see when the table is in an
++// invalid state that sanitizers may help diagnose.
++#define ABSL_SWISSTABLE_ASSERT(CONDITION) \
++  assert((CONDITION) && "Try enabling sanitizers.")
++#endif
++
+ template <typename AllocType>
+ void SwapAlloc(AllocType& lhs, AllocType& rhs,
+                std::true_type /* propagate_on_container_swap */) {
+@@ -745,6 +754,15 @@
+   return n ? ~size_t{} >> countl_zero(n) : 1;
+ }
+ 
++template <size_t kSlotSize>
++size_t MaxValidCapacity() {
++  return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
++                           kSlotSize);
++}
++
++// Use a non-inlined function to avoid code bloat.
++[[noreturn]] void HashTableSizeOverflow();
++
+ // General notes on capacity/growth methods below:
+ // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
+ //   average of two empty slots per group.
+@@ -1148,6 +1166,10 @@
+       : ctrl_(EmptyGroup()),
+         settings_(0, HashtablezInfoHandle(), hash, eq, alloc) {
+     if (bucket_count) {
++      if (ABSL_PREDICT_FALSE(bucket_count >
++                             MaxValidCapacity<sizeof(slot_type)>())) {
++        HashTableSizeOverflow();
++      }
+       capacity_ = NormalizeCapacity(bucket_count);
+       initialize_slots();
+     }
+@@ -1341,7 +1363,9 @@
+   bool empty() const { return !size(); }
+   size_t size() const { return size_; }
+   size_t capacity() const { return capacity_; }
+-  size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
++  size_t max_size() const {
++    return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
++  }
+ 
+   ABSL_ATTRIBUTE_REINITIALIZES void clear() {
+     // Iterating over this container is O(bucket_count()). When bucket_count()
+@@ -1678,6 +1702,9 @@
+     auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size()));
+     // n == 0 unconditionally rehashes as per the standard.
+     if (n == 0 || m > capacity_) {
++      if (ABSL_PREDICT_FALSE(m > MaxValidCapacity<sizeof(slot_type)>())) {
++        HashTableSizeOverflow();
++      }
+       resize(m);
+ 
+       // This is after resize, to ensure that we have completed the allocation
+@@ -1688,6 +1715,9 @@
+ 
+   void reserve(size_t n) {
+     if (n > size() + growth_left()) {
++      if (ABSL_PREDICT_FALSE(n > max_size())) {
++        HashTableSizeOverflow();
++      }
+       size_t m = GrowthToLowerboundCapacity(n);
+       resize(NormalizeCapacity(m));
+ 
+@@ -2361,5 +2391,6 @@
+ }  // namespace absl
+ 
+ #undef ABSL_INTERNAL_ASSERT_IS_FULL
++#undef ABSL_SWISSTABLE_ASSERT
+ 
+ #endif  // ABSL_CONTAINER_INTERNAL_RAW_HASH_SET_H_
+--- a/absl/container/internal/raw_hash_set_test.cc
++++ b/absl/container/internal/raw_hash_set_test.cc
+@@ -2181,6 +2181,14 @@
+   }
+ }
+ 
++TEST(Table, MaxSizeOverflow) {
++  size_t overflow = (std::numeric_limits<size_t>::max)();
++  EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
++  IntTable t;
++  EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
++  EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
++}
++
+ }  // namespace
+ }  // namespace container_internal
+ ABSL_NAMESPACE_END
diff -Nru abseil-20220623.1/debian/patches/series abseil-20220623.1/debian/patches/series
--- abseil-20220623.1/debian/patches/series	2022-08-31 04:42:20.000000000 +0200
+++ abseil-20220623.1/debian/patches/series	2025-04-05 15:15:38.000000000 +0200
@@ -4,3 +4,4 @@
 empty-flags-library.diff
 leaky-pkgconfig-cflags.diff
 cordz-info-statistics-test.diff
+CVE-2025-0838.patch

--- End Message ---

--- Begin Message ---

• To: 1102135-done@bugs.debian.org
• Subject: Close 1102135
• From: jmw@debian.org
• Date: Sat, 17 May 2025 09:37:57 +0000
• Message-id: <E1uGDzR-005KGA-9i@coccia.debian.org>

Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---