--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package abseil/20220623.1-1+deb12u1
- From: Tobias Frost <tobi@debian.org>
- Date: Sat, 05 Apr 2025 16:25:51 +0200
- Message-id: <174386315165.474037.16280830826169088919.reportbug@isildor2.loewenhoehle.ip>
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: abseil@packages.debian.org, abseil@packages.debian.org
Control: affects -1 + src:abseil
User: release.debian.org@packages.debian.org
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
This is a backport for the fix for CVE-2025-0838, which I've previously
fixed for sid (#1098903) and for LTS (DLA-4116-1).
To close the gap for bookworm, I'd like to s-p-u the package.
[ Impact ]
Users upgrading from bullseye to bookworm will have regression in
terms of this vulnerbility.
[ Tests ]
The source package comes with a test suite, the vulnerablity has also
its own test suite.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backport of the upstream patch, origin:
https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
diff -Nru abseil-20220623.1/debian/changelog abseil-20220623.1/debian/changelog
--- abseil-20220623.1/debian/changelog 2022-10-18 16:02:49.000000000 +0200
+++ abseil-20220623.1/debian/changelog 2025-04-05 16:09:38.000000000 +0200
@@ -1,3 +1,11 @@
+abseil (20220623.1-1+deb12u1) bookworm; urgency=medium
+
+ * Non maintainer upload by the LTS Team.
+ * Backport fix for CVE-2025-0838 - Heap buffer overflow vulnerablity
+ (Closes: #1098903)
+
+ -- Tobias Frost <tobi@debian.org> Sat, 05 Apr 2025 16:09:38 +0200
+
abseil (20220623.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru abseil-20220623.1/debian/patches/CVE-2025-0838.patch abseil-20220623.1/debian/patches/CVE-2025-0838.patch
--- abseil-20220623.1/debian/patches/CVE-2025-0838.patch 1970-01-01 01:00:00.000000000 +0100
+++ abseil-20220623.1/debian/patches/CVE-2025-0838.patch 2025-04-05 16:09:32.000000000 +0200
@@ -0,0 +1,162 @@
+Description: CVE-2025-0838 - Heap buffer overflow vulnerable in Abseil-cpp
+ Backported for bookworm from upstream.
+Origin: https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098903
+
+From 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 Mon Sep 17 00:00:00 2001
+From: Derek Mauro <dmauro@google.com>
+Date: Thu, 23 Jan 2025 06:33:43 -0800
+Subject: [PATCH] Fix potential integer overflow in hash container
+ create/resize
+
+The sized constructors, reserve(), and rehash() methods of
+absl::{flat,node}_hash_{set,map} did not impose an upper bound on
+their size argument. As a result, it was possible for a caller to pass
+a very large size that would cause an integer overflow when computing
+the size of the container's backing store. Subsequent accesses to the
+container might then access out-of-bounds memory.
+
+The fix is in two parts:
+
+1) Update max_size() to return the maximum number of items that can be
+stored in the container
+
+2) Validate the size arguments to the constructors, reserve(), and
+rehash() methods, and abort the program when the argument is invalid
+
+We've looked at uses of these containers in Google codebases like
+Chrome, and determined this vulnerability is likely to be difficult to
+exploit. This is primarily because container sizes are rarely
+attacker-controlled.
+
+The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
+
+PiperOrigin-RevId: 718841870
+Change-Id: Ic09dc9de140a35dbb45ab9d90f58383cf2de8286
+---
+ absl/container/internal/raw_hash_set.cc | 5 ++++
+ absl/container/internal/raw_hash_set.h | 26 +++++++++++++++++++-
+ absl/container/internal/raw_hash_set_test.cc | 8 ++++++
+ 3 files changed, 38 insertions(+), 1 deletion(-)
+
+--- a/absl/container/internal/raw_hash_set.cc
++++ b/absl/container/internal/raw_hash_set.cc
+@@ -13,6 +13,7 @@
+ // limitations under the License.
+
+ #include "absl/container/internal/raw_hash_set.h"
++#include "absl/base/internal/raw_logging.h"
+
+ #include <atomic>
+ #include <cstddef>
+@@ -66,6 +67,10 @@
+ // Extern template instantiotion for inline function.
+ template FindInfo find_first_non_full(const ctrl_t*, size_t, size_t);
+
++void HashTableSizeOverflow() {
++ ABSL_RAW_LOG(FATAL, "Hash table size overflow");
++}
++
+ } // namespace container_internal
+ ABSL_NAMESPACE_END
+ } // namespace absl
+--- a/absl/container/internal/raw_hash_set.h
++++ b/absl/container/internal/raw_hash_set.h
+@@ -219,6 +219,15 @@
+ ABSL_NAMESPACE_BEGIN
+ namespace container_internal {
+
++#ifdef ABSL_SWISSTABLE_ASSERT
++#error ABSL_SWISSTABLE_ASSERT cannot be directly set
++#else
++// We use this macro for assertions that users may see when the table is in an
++// invalid state that sanitizers may help diagnose.
++#define ABSL_SWISSTABLE_ASSERT(CONDITION) \
++ assert((CONDITION) && "Try enabling sanitizers.")
++#endif
++
+ template <typename AllocType>
+ void SwapAlloc(AllocType& lhs, AllocType& rhs,
+ std::true_type /* propagate_on_container_swap */) {
+@@ -745,6 +754,15 @@
+ return n ? ~size_t{} >> countl_zero(n) : 1;
+ }
+
++template <size_t kSlotSize>
++size_t MaxValidCapacity() {
++ return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
++ kSlotSize);
++}
++
++// Use a non-inlined function to avoid code bloat.
++[[noreturn]] void HashTableSizeOverflow();
++
+ // General notes on capacity/growth methods below:
+ // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
+ // average of two empty slots per group.
+@@ -1148,6 +1166,10 @@
+ : ctrl_(EmptyGroup()),
+ settings_(0, HashtablezInfoHandle(), hash, eq, alloc) {
+ if (bucket_count) {
++ if (ABSL_PREDICT_FALSE(bucket_count >
++ MaxValidCapacity<sizeof(slot_type)>())) {
++ HashTableSizeOverflow();
++ }
+ capacity_ = NormalizeCapacity(bucket_count);
+ initialize_slots();
+ }
+@@ -1341,7 +1363,9 @@
+ bool empty() const { return !size(); }
+ size_t size() const { return size_; }
+ size_t capacity() const { return capacity_; }
+- size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
++ size_t max_size() const {
++ return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
++ }
+
+ ABSL_ATTRIBUTE_REINITIALIZES void clear() {
+ // Iterating over this container is O(bucket_count()). When bucket_count()
+@@ -1678,6 +1702,9 @@
+ auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size()));
+ // n == 0 unconditionally rehashes as per the standard.
+ if (n == 0 || m > capacity_) {
++ if (ABSL_PREDICT_FALSE(m > MaxValidCapacity<sizeof(slot_type)>())) {
++ HashTableSizeOverflow();
++ }
+ resize(m);
+
+ // This is after resize, to ensure that we have completed the allocation
+@@ -1688,6 +1715,9 @@
+
+ void reserve(size_t n) {
+ if (n > size() + growth_left()) {
++ if (ABSL_PREDICT_FALSE(n > max_size())) {
++ HashTableSizeOverflow();
++ }
+ size_t m = GrowthToLowerboundCapacity(n);
+ resize(NormalizeCapacity(m));
+
+@@ -2361,5 +2391,6 @@
+ } // namespace absl
+
+ #undef ABSL_INTERNAL_ASSERT_IS_FULL
++#undef ABSL_SWISSTABLE_ASSERT
+
+ #endif // ABSL_CONTAINER_INTERNAL_RAW_HASH_SET_H_
+--- a/absl/container/internal/raw_hash_set_test.cc
++++ b/absl/container/internal/raw_hash_set_test.cc
+@@ -2181,6 +2181,14 @@
+ }
+ }
+
++TEST(Table, MaxSizeOverflow) {
++ size_t overflow = (std::numeric_limits<size_t>::max)();
++ EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
++ IntTable t;
++ EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
++ EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
++}
++
+ } // namespace
+ } // namespace container_internal
+ ABSL_NAMESPACE_END
diff -Nru abseil-20220623.1/debian/patches/series abseil-20220623.1/debian/patches/series
--- abseil-20220623.1/debian/patches/series 2022-08-31 04:42:20.000000000 +0200
+++ abseil-20220623.1/debian/patches/series 2025-04-05 15:15:38.000000000 +0200
@@ -4,3 +4,4 @@
empty-flags-library.diff
leaky-pkgconfig-cflags.diff
cordz-info-statistics-test.diff
+CVE-2025-0838.patch
--- End Message ---