Your message dated Sat, 07 Oct 2023 09:59:38 +0000 with message-id <E1qp45y-00A4Al-Py@coccia.debian.org> and subject line Released with 12.2 has caused the Debian Bug report #1041468, regarding bookworm-pu: package hnswlib/0.6.2-2+deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1041468: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041468 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package hnswlib/0.6.2-2+deb12u1
- From: Étienne Mollier <emollier@debian.org>
- Date: Wed, 19 Jul 2023 12:04:04 +0200
- Message-id: <ZLe1FHHtm4qGdWAX@fusion>
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: hnswlib@packages.debian.org Control: affects -1 + src:hnswlib Hi Stable Release Managers, [ Reason ] hnswlib is affected by CVE-2023-37365 marked no-dsa, documented through the important bug #1041426. Quoting the CVE for short: hnswlib has a double free in init_index when the M argument is a large integer. [ Impact ] Users of hnswlib may encounter double-free crashes when specifying randomly the M parameters to the software. [ Tests ] I verified the package built in a clean bookworm chroot, then verified there were no autopkgtest regressions in bookworm, then verified manualy that the reproducer did trigger the crash with the current version in bookworm, and finally that the patched version did not trigger the crash anymore, but instead raised the warning message appropriately. [ Risks ] There is little risk as the change is relatively straightforward but users who might like to set off-specifications values of the M parameter may run into the self imposed limitation. M is documented to have values that make sense in a range from 2 to 100, and the patch sets a hard limit at 10000 per upstream recommendation. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in stable [*] the issue is verified as fixed in unstable [ Changes ] Changes mostly consists in applying a version of the patch discussed with upstream[1] ported to hnswlib 0.6.2-2 in bookworm. Instead of forwarding the value of the argument M as-is, the code now checks for the value to be lesser than 10000 before applying. If the value is larger, then it is capped and the library issues a warning. [1]: https://github.com/nmslib/hnswlib/pull/484 [ Other info ] It might have made sense to also set a check for M == 1, as it will result in a crash, probably not as serious as the double free though: Traceback (most recent call last): File "<stdin>", line 1, in <module> RuntimeError: Not enough memory: addPoint failed to allocate linklist M == 0 looks to behave, or has a special meaning. In doubt, I prefer leaving as-is. Last info, lintian loudly complained at the distribution field, but looking at the Developer Reference, the field seemed good, so if there is anything I need to change, don't hesitate to tell: E: hnswlib changes: bad-distribution-in-changes-file bookworm Have a nice day, :) -- .''`. Étienne Mollier <emollier@debian.org> : :' : gpg: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/4, please excuse my verbosity `- on air: Chroma Key - Human Lovediff -Nru hnswlib-0.6.2/debian/changelog hnswlib-0.6.2/debian/changelog --- hnswlib-0.6.2/debian/changelog 2022-10-12 16:11:36.000000000 +0200 +++ hnswlib-0.6.2/debian/changelog 2023-07-19 10:27:07.000000000 +0200 @@ -1,3 +1,12 @@ +hnswlib (0.6.2-2+deb12u1) bookworm; urgency=medium + + * Team upload. + * cve-2023-37365.patch: new: fix CVE-2023-37365. + This is done by capping M to 10000 per discussion with upstream. + (Closes: #1041426) + + -- Étienne Mollier <emollier@debian.org> Wed, 19 Jul 2023 10:27:07 +0200 + hnswlib (0.6.2-2) unstable; urgency=medium * Team upload. diff -Nru hnswlib-0.6.2/debian/patches/cve-2023-37365.patch hnswlib-0.6.2/debian/patches/cve-2023-37365.patch --- hnswlib-0.6.2/debian/patches/cve-2023-37365.patch 1970-01-01 01:00:00.000000000 +0100 +++ hnswlib-0.6.2/debian/patches/cve-2023-37365.patch 2023-07-19 10:24:55.000000000 +0200 @@ -0,0 +1,40 @@ +Description: hnswalg.h: cap M to 10000 (CVE-2023-37365) + This patch works around issue nmslib#467, also referenced as CVE-2023-37365, + by implementing Yury Malkov's suggestion about capping the M value, + coding the maximum number of outgoing connections in the graph, to a + reasonable enough value of the order of 10000. For the record, the + documentation indicates reasonable values for M range from 2 to 100, + which are well within the cap; see ALGO_PARAMS.md. + . + The reproducer shown in issue nmslib#467 doesn't trigger the double free + condition anymore after this change is applied, but completes + successfully, although with the below warning popping up on purpose: + . + warning: M parameter exceeds 10000 which may lead to adverse effects. + Cap to 10000 will be applied for the rest of the processing. + +Author: Étienne Mollier <emollier@debian.org> +Bug: https://github.com/nmslib/hnswlib/issues/467 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426 +Forwarded: https://github.com/nmslib/hnswlib/pull/484 +Reviewed-by: Yury Malkov <yurymalkov@mail.ru> +Last-Update: 2023-07-19 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- hnswlib.orig/hnswlib/hnswalg.h ++++ hnswlib/hnswlib/hnswalg.h +@@ -33,7 +33,13 @@ + data_size_ = s->get_data_size(); + fstdistfunc_ = s->get_dist_func(); + dist_func_param_ = s->get_dist_func_param(); +- M_ = M; ++ if ( M <= 10000 ) { ++ M_ = M; ++ } else { ++ std::cerr << "warning: M parameter exceeds 10000 which may lead to adverse effects." << std::endl; ++ std::cerr << " Cap to 10000 will be applied for the rest of the processing." << std::endl; ++ M_ = 10000; ++ } + maxM_ = M_; + maxM0_ = M_ * 2; + ef_construction_ = std::max(ef_construction,M_); diff -Nru hnswlib-0.6.2/debian/patches/series hnswlib-0.6.2/debian/patches/series --- hnswlib-0.6.2/debian/patches/series 2022-10-12 16:11:36.000000000 +0200 +++ hnswlib-0.6.2/debian/patches/series 2023-07-19 10:23:46.000000000 +0200 @@ -2,3 +2,4 @@ noTwine.patch use-shared-while-linking.patch do-not-use-native-flags.patch +cve-2023-37365.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1041468-done@bugs.debian.org
- Subject: Released with 12.2
- From: Jonathan Wiltshire <jmw@coccia.debian.org>
- Date: Sat, 07 Oct 2023 09:59:38 +0000
- Message-id: <E1qp45y-00A4Al-Py@coccia.debian.org>
Version: 12.2 The upload requested in this bug has been released as part of 12.2.
--- End Message ---