Bugzilla – Bug 1214681
VUL-0: CVE-2020-35357: gsl: stack out of bounds read in gsl_stats_quantile_from_sorted_data()
Last modified: 2024-02-22 14:32:19 UTC
CVE-2020-35357 A buffer overflow can occur when calculating the quantile value using the Statistics Library of GSL (GNU Scientific Library), versions 2.5 and 2.6. Processing a maliciously crafted input data for gsl_stats_quantile_from_sorted_data of the library may lead to unexpected application termination or arbitrary code execution. References: https://savannah.gnu.org/bugs/?59624 https://git.savannah.gnu.org/cgit/gsl.git/commit/?id=989a193268b963aa1047814f7f1402084fb7d859 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35357 https://bugzilla.redhat.com/show_bug.cgi?id=2234896 https://www.cve.org/CVERecord?id=CVE-2020-35357 https://git.savannah.gnu.org/cgit/gsl.git/commit/?id=989a193268b963aa1047814f7f1402084fb7d859 https://savannah.gnu.org/bugs/?59624
NVD gives this a 9.8 CVSS, but the overflow only happens when passing in a nonsensical quantile. Moreover, obtaining code execution from an out of bounds read seems unlikely.
This is an autogenerated message for OBS integration: This bug (1214681) was mentioned in https://build.opensuse.org/request/show/1106734 Factory / gsl
Hi Adman, I see that there are a couple of failed builtin tests on i586 arch [0], can you please review it and tell if we can skip it or a re-submission is needed? Thanks [0] https://build.suse.de/public/build/SUSE:Maintenance:30354/SUSE_SLE-15-SP2_Update/i586/gsl.SUSE_SLE-15-SP2_Update:gnu-hpc/_log ``` [ 164s] /bin/sh ../libtool --tag=CC --mode=link gcc -ffp-contract=off -fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -o test test.o libgsllinalg.la ../blas/libgslblas.la ../cblas/libgslcblas.la ../permutation/libgslpermutation.la ../matrix/libgslmatrix.la ../vector/libgslvector.la ../block/libgslblock.la ../complex/libgslcomplex.la ../ieee-utils/libgslieeeutils.la ../err/libgslerr.la ../test/libgsltest.la ../sys/libgslsys.la ../utils/libutils.la ../rng/libgslrng.la -lm [ 164s] libtool: link: gcc -ffp-contract=off -fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -o .libs/test test.o ./.libs/libgsllinalg.a ../blas/.libs/libgslblas.a ../cblas/.libs/libgslcblas.so ../permutation/.libs/libgslpermutation.a ../matrix/.libs/libgslmatrix.a ../vector/.libs/libgslvector.a ../block/.libs/libgslblock.a ../complex/.libs/libgslcomplex.a ../ieee-utils/.libs/libgslieeeutils.a ../err/.libs/libgslerr.a ../test/.libs/libgsltest.a ../sys/.libs/libgslsys.a ../utils/.libs/libutils.a ../rng/.libs/libgslrng.a -lm -Wl,-rpath -Wl,/usr/lib/hpc/gnu7/gsl/2.6/lib [ 165s] make[2]: Leaving directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 165s] make check-TESTS [ 165s] make[2]: Entering directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 165s] make[3]: Entering directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 173s] FAIL: test [ 173s] ============================================================================ [ 173s] Testsuite summary for gsl 2.6 [ 173s] ============================================================================ [ 173s] # TOTAL: 1 [ 173s] # PASS: 0 [ 173s] # SKIP: 0 [ 173s] # XFAIL: 0 [ 173s] # FAIL: 1 [ 173s] # XPASS: 0 [ 173s] # ERROR: 0 [ 173s] ============================================================================ [ 173s] See linalg/test-suite.log [ 173s] ============================================================================ [ 173s] make[3]: *** [Makefile:772: test-suite.log] Error 1 [ 173s] make[3]: Leaving directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 173s] make[2]: *** [Makefile:880: check-TESTS] Error 2 [ 173s] make[2]: Leaving directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 173s] make[1]: *** [Makefile:951: check-am] Error 2 [ 173s] make[1]: Leaving directory '/home/abuild/rpmbuild/BUILD/gsl-2.6/linalg' [ 173s] make: *** [Makefile:974: check-recursive] Error 1 [ 173s] + find -name '*.log' -print -exec cat '{}' ';' [ 173s] ./matrix/test_static.log [ 173s] Completed [1347/1347] [ 173s] PASS test_static (exit status: 0) [ 173s] ./matrix/test.log [ 173s] Completed [1347/1347] [ 173s] PASS test (exit status: 0) [ 173s] ./matrix/test-suite.log ``` ``` [ 173s] ==================================== [ 173s] gsl 2.6: linalg/test-suite.log [ 173s] ==================================== [ 173s] [ 173s] # TOTAL: 1 [ 173s] # PASS: 0 [ 173s] # SKIP: 0 [ 173s] # XFAIL: 0 [ 173s] # FAIL: 1 [ 173s] # XPASS: 0 [ 173s] # ERROR: 0 [ 173s] [ 173s] .. contents:: :depth: 2 [ 173s] [ 173s] FAIL: test [ 173s] ========== [ 173s] [ 173s] FAIL: LU_decomp rect3: ( 80,100)[64,65]: 4.12655062968342833e-05 4.12655062973499298e-05 [ 173s] (4.12655062968342833e-05 observed vs 4.12655062973499298e-05 expected) [5515924] [ 173s] FAIL: cholesky_decomp unscaled random: (147,147)[92,130]: 1.06636434789185456e-07 1.0663643479347229e-07 [ 173s] (1.06636434789185456e-07 observed vs 1.0663643479347229e-07 expected) [12196119] [ 173s] FAIL: cholesky_decomp unscaled random: (147,147)[130,92]: 1.06636434789185456e-07 1.0663643479347229e-07 [ 173s] (1.06636434789185456e-07 observed vs 1.0663643479347229e-07 expected) [12201667] [ 173s] FAIL: cholesky_decomp scaled random: (147,147)[92,130]: 1.06636434797499932e-07 1.0663643479347229e-07 [ 173s] (1.06636434797499932e-07 observed vs 1.0663643479347229e-07 expected) [12217728] [ 173s] FAIL: cholesky_decomp scaled random: (147,147)[130,92]: 1.06636434797499932e-07 1.0663643479347229e-07 [ 173s] (1.06636434797499932e-07 observed vs 1.0663643479347229e-07 expected) [12223276] [ 173s] FAIL test (exit status: 1) [ 173s] [ 173s] ./config.log [ 173s] This file contains any messages produced by compilers while [ 173s] running configure, to aid debugging if configure makes a mistake. [ 173s] [ 173s] It was created by gsl configure 2.6, which was [ 173s] generated by GNU Autoconf 2.69. Invocation command line was [ 173s] [ 173s] $ ./configure --host=i586-suse-linux-gnu --build=i586-suse-linux-gnu --disable-dependency-tracking --prefix=/usr/lib/hpc/gnu7/gsl/2.6 --exec-prefix=/usr/lib/hpc/gnu7/gsl/2.6 --bindir=/usr/lib/hpc/gnu7/gsl/2.6/bin --sbindir=/usr/lib/hpc/gnu7/gsl/2.6/sbin --sysconfdir=/etc --datadir=/usr/lib/hpc/gnu7/gsl/2.6/share --includedir=/usr/lib/hpc/gnu7/gsl/2.6/include --libdir=/usr/lib/hpc/gnu7/gsl/2.6/lib --libexecdir=/usr/lib/hpc/gnu7/gsl/2.6/lib --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/lib/hpc/gnu7/gsl/2.6/share/man --infodir=/usr/lib/hpc/gnu7/gsl/2.6/share/info --disable-static --enable-shared --with-gnu-ld ```
This is why we ignore these tests on i586 in spec file.... the few bad tests results there are caused by the limited precission maths on 32bit Intel. Unless we want to relax these for all arches, it's best just to ignore these errors here. From spec file, # On i586 this still fails %ifarch %{ix86} make %{?_smp_mflags} check || ( find -name \*.log -print -exec cat {} \; ; exit 0 ) %else make %{?_smp_mflags} check || ( find -name \*.log -print -exec cat {} \; ; exit 1 ) %endif Is it ok to proceed or should I fix this for i586 (by relaxing precission)?
That's more than enough. We'll simply skip these tests from the UM side. Thank you very much.
SUSE-SU-2023:3527-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214681 CVE References: CVE-2020-35357 Sources used: SUSE Linux Enterprise Workstation Extension 15 SP4 (src): gsl-2.4-150100.9.4.1 SUSE Linux Enterprise Workstation Extension 15 SP5 (src): gsl-2.4-150100.9.4.1 openSUSE Leap 15.4 (src): gsl-2.4-150100.9.4.1, gsl_2_4-gnu-hpc-2.4-150100.9.4.1 openSUSE Leap 15.5 (src): gsl_2_4-gnu-hpc-2.4-150100.9.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3858-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214681 CVE References: CVE-2020-35357 Sources used: openSUSE Leap 15.4 (src): gsl-2.6-150200.3.4.3, gsl_2_6-gnu-hpc-2.6-150200.3.4.3 openSUSE Leap 15.5 (src): gsl-2.6-150200.3.4.3, gsl_2_6-gnu-hpc-2.6-150200.3.4.3 Desktop Applications Module 15-SP4 (src): gsl-2.6-150200.3.4.3 Desktop Applications Module 15-SP5 (src): gsl-2.6-150200.3.4.3 SUSE Package Hub 15 15-SP4 (src): gsl-2.6-150200.3.4.3 SUSE Package Hub 15 15-SP5 (src): gsl-2.6-150200.3.4.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4051-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214681 CVE References: CVE-2020-35357 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): gsl-1.16-5.4.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): gsl-1.16-5.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.