|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2020-35357: gsl: stack out of bounds read in gsl_stats_quantile_from_sorted_data() | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Carlos López <carlos.lopez> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | gianluca.gabrielli, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/375997/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2020-35357:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Carlos López
2023-08-28 10:06:57 UTC
NVD gives this a 9.8 CVSS, but the overflow only happens when passing in a nonsensical quantile. Moreover, obtaining code execution from an out of bounds read seems unlikely. This is an autogenerated message for OBS integration: This bug (1214681) was mentioned in https://build.opensuse.org/request/show/1106734 Factory / gsl Hi Adman, I see that there are a couple of failed builtin tests on i586 arch [0], can you please review it and tell if we can skip it or a re-submission is needed? Thanks [0] https://build.suse.de/public/build/SUSE:Maintenance:30354/SUSE_SLE-15-SP2_Update/i586/gsl.SUSE_SLE-15-SP2_Update:gnu-hpc/_log ``` [ 164s] /bin/sh ../libtool --tag=CC --mode=link gcc -ffp-contract=off -fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -o test test.o libgsllinalg.la ../blas/libgslblas.la ../cblas/libgslcblas.la ../permutation/libgslpermutation.la ../matrix/libgslmatrix.la ../vector/libgslvector.la ../block/libgslblock.la ../complex/libgslcomplex.la ../ieee-utils/libgslieeeutils.la ../err/libgslerr.la ../test/libgsltest.la ../sys/libgslsys.la ../utils/libutils.la ../rng/libgslrng.la -lm [ 164s] libtool: link: gcc -ffp-contract=off -fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -o .libs/test test.o ./.libs/libgsllinalg.a ../blas/.libs/libgslblas.a ../cblas/.libs/libgslcblas.so ../permutation/.libs/libgslpermutation.a ../matrix/.libs/libgslmatrix.a ../vector/.libs/libgslvector.a ../block/.libs/libgslblock.a ../complex/.libs/libgslcomplex.a ../ieee-utils/.libs/libgslieeeutils.a ../err/.libs/libgslerr.a ../test/.libs/libgsltest.a ../sys/.libs/libgslsys.a ../utils/.libs/libutils.a ../rng/.libs/libgslrng.a -lm -Wl,-rpath -Wl,/usr/lib/hpc/gnu7/gsl/2.6/lib [ 165s] make[2]: Leaving directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 165s] make check-TESTS [ 165s] make[2]: Entering directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 165s] make[3]: Entering directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 173s] FAIL: test [ 173s] ============================================================================ [ 173s] Testsuite summary for gsl 2.6 [ 173s] ============================================================================ [ 173s] # TOTAL: 1 [ 173s] # PASS: 0 [ 173s] # SKIP: 0 [ 173s] # XFAIL: 0 [ 173s] # FAIL: 1 [ 173s] # XPASS: 0 [ 173s] # ERROR: 0 [ 173s] ============================================================================ [ 173s] See linalg/test-suite.log [ 173s] ============================================================================ [ 173s] make[3]: *** [Makefile:772: test-suite.log] Error 1 [ 173s] make[3]: Leaving directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 173s] make[2]: *** [Makefile:880: check-TESTS] Error 2 [ 173s] make[2]: Leaving directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 173s] make[1]: *** [Makefile:951: check-am] Error 2 [ 173s] make[1]: Leaving directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 173s] make: *** [Makefile:974: check-recursive] Error 1 [ 173s] + find -name '*.log' -print -exec cat '{}' ';' [ 173s] ./matrix/test_static.log [ 173s] Completed [1347/1347] [ 173s] PASS test_static (exit status: 0) [ 173s] ./matrix/test.log [ 173s] Completed [1347/1347] [ 173s] PASS test (exit status: 0) [ 173s] ./matrix/test-suite.log ``` ``` [ 173s] ==================================== [ 173s] gsl 2.6: linalg/test-suite.log [ 173s] ==================================== [ 173s] [ 173s] # TOTAL: 1 [ 173s] # PASS: 0 [ 173s] # SKIP: 0 [ 173s] # XFAIL: 0 [ 173s] # FAIL: 1 [ 173s] # XPASS: 0 [ 173s] # ERROR: 0 [ 173s] [ 173s] .. contents:: :depth: 2 [ 173s] [ 173s] FAIL: test [ 173s] ========== [ 173s] [ 173s] FAIL: LU_decomp rect3: ( 80,100)[64,65]: 4.12655062968342833e-05 4.12655062973499298e-05 [ 173s] (4.12655062968342833e-05 observed vs 4.12655062973499298e-05 expected) [5515924] [ 173s] FAIL: cholesky_decomp unscaled random: (147,147)[92,130]: 1.06636434789185456e-07 1.0663643479347229e-07 [ 173s] (1.06636434789185456e-07 observed vs 1.0663643479347229e-07 expected) [12196119] [ 173s] FAIL: cholesky_decomp unscaled random: (147,147)[130,92]: 1.06636434789185456e-07 1.0663643479347229e-07 [ 173s] (1.06636434789185456e-07 observed vs 1.0663643479347229e-07 expected) [12201667] [ 173s] FAIL: cholesky_decomp scaled random: (147,147)[92,130]: 1.06636434797499932e-07 1.0663643479347229e-07 [ 173s] (1.06636434797499932e-07 observed vs 1.0663643479347229e-07 expected) [12217728] [ 173s] FAIL: cholesky_decomp scaled random: (147,147)[130,92]: 1.06636434797499932e-07 1.0663643479347229e-07 [ 173s] (1.06636434797499932e-07 observed vs 1.0663643479347229e-07 expected) [12223276] [ 173s] FAIL test (exit status: 1) [ 173s] [ 173s] ./config.log [ 173s] This file contains any messages produced by compilers while [ 173s] running configure, to aid debugging if configure makes a mistake. [ 173s] [ 173s] It was created by gsl configure 2.6, which was [ 173s] generated by GNU Autoconf 2.69. Invocation command line was [ 173s] [ 173s] $ ./configure --host=i586-suse-linux-gnu --build=i586-suse-linux-gnu --disable-dependency-tracking --prefix=/usr/lib/hpc/gnu7/gsl/2.6 --exec-prefix=/usr/lib/hpc/gnu7/gsl/2.6 --bindir=/usr/lib/hpc/gnu7/gsl/2.6/bin --sbindir=/usr/lib/hpc/gnu7/gsl/2.6/sbin --sysconfdir=/etc --datadir=/usr/lib/hpc/gnu7/gsl/2.6/share --includedir=/usr/lib/hpc/gnu7/gsl/2.6/include --libdir=/usr/lib/hpc/gnu7/gsl/2.6/lib --libexecdir=/usr/lib/hpc/gnu7/gsl/2.6/lib --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/lib/hpc/gnu7/gsl/2.6/share/man --infodir=/usr/lib/hpc/gnu7/gsl/2.6/share/info --disable-static --enable-shared --with-gnu-ld ``` This is why we ignore these tests on i586 in spec file.... the few bad tests results there are caused by the limited precission maths on 32bit Intel. Unless we want to relax these for all arches, it's best just to ignore these errors here.
From spec file,
# On i586 this still fails
%ifarch %{ix86}
make %{?_smp_mflags} check || ( find -name \*.log -print -exec cat {} \; ; exit 0 )
%else
make %{?_smp_mflags} check || ( find -name \*.log -print -exec cat {} \; ; exit 1 )
%endif
Is it ok to proceed or should I fix this for i586 (by relaxing precission)?
That's more than enough. We'll simply skip these tests from the UM side. Thank you very much. SUSE-SU-2023:3527-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214681 CVE References: CVE-2020-35357 Sources used: SUSE Linux Enterprise Workstation Extension 15 SP4 (src): gsl-2.4-150100.9.4.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): gsl-2.4-150100.9.4.1 openSUSE Leap 15.4 (src): gsl-2.4-150100.9.4.1, gsl_2_4-gnu-hpc-2.4-150100.9.4.1 openSUSE Leap 15.5 (src): gsl_2_4-gnu-hpc-2.4-150100.9.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:3858-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214681 CVE References: CVE-2020-35357 Sources used: openSUSE Leap 15.4 (src): gsl-2.6-150200.3.4.3, gsl_2_6-gnu-hpc-2.6-150200.3.4.3 openSUSE Leap 15.5 (src): gsl-2.6-150200.3.4.3, gsl_2_6-gnu-hpc-2.6-150200.3.4.3 Desktop Applications Module 15-SP4 (src): gsl-2.6-150200.3.4.3 Desktop Applications Module 15-SP5 (src): gsl-2.6-150200.3.4.3 SUSE Package Hub 15 15-SP4 (src): gsl-2.6-150200.3.4.3 SUSE Package Hub 15 15-SP5 (src): gsl-2.6-150200.3.4.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4051-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214681 CVE References: CVE-2020-35357 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): gsl-1.16-5.4.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): gsl-1.16-5.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. Done, closing. |