Bug 1222059 (CVE-2023-46049)

Summary: VUL-1: CVE-2023-46049: llvm: NULL pointer dereference in parseOneMetadata() via crafted pdflatex.fmt file (or perhaps a crafted .o file) to llvm-lto
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Michael Matz <matz>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/399123/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46049:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-27 10:55:58 UTC 
LLVM 15.0.0 has a NULL pointer dereference in the parseOneMetadata() function via a crafted pdflatex.fmt file (or perhaps a crafted .o file) to llvm-lto. NOTE: this is disputed because the relationship between pdflatex.fmt and any LLVM language front end is not explained, and because a crash of the llvm-lto application should be categorized as a usability problem.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46049
https://www.cve.org/CVERecord?id=CVE-2023-46049
http://seclists.org/fulldisclosure/2024/Jan/66
https://github.com/llvm/llvm-project/issues/67388
https://llvm.org/docs/Security.html
Comment 1 Carlos López 2024-03-27 10:57:10 UTC 
Barely a security issue if at all. Anyhow, the fix seems trivial:
https://github.com/llvm/llvm-project/commit/c2515a8f2be5dd23354c9891f41ad104000f88c4
Comment 2 Richard Biener 2024-03-27 12:00:34 UTC 
llvm-lto is part of the llvm15 package which isn't shipped to SLES customers,
only libLLVM15 is.  llvm15 is available via PackageHub on some codestreams
but as such unsupported:

Information for package llvm15:
-------------------------------
Repository     : SLE-Module-Packagehub-Subpackages15-SP5-Updates
Name           : llvm15
Version        : 15.0.7-150500.4.4.1
Arch           : x86_64
Vendor         : SUSE LLC <https://www.suse.com/>
Support Level  : unsupported
Installed Size : 11.6 MiB
Installed      : Yes
Status         : up-to-date
Source package : llvm15-15.0.7-150500.4.4.1.src
Upstream URL   : https://www.llvm.org/
Summary        : Low Level Virtual Machine
Description    : 
    LLVM is a compiler infrastructure designed for compile-time,
    link-time, runtime, and idle-time optimization of programs from
    arbitrary programming languages.

    The compiler infrastructure includes mirror sets of programming
    tools as well as libraries with equivalent functionality.

apart from the fact that this is of course is not a security issue at all.

llvm15 is no longer maintained upstream either.