Bugzilla – Bug 1222059
VUL-1: CVE-2023-46049: llvm: NULL pointer dereference in parseOneMetadata() via crafted pdflatex.fmt file (or perhaps a crafted .o file) to llvm-lto
Last modified: 2024-03-27 12:00:34 UTC
LLVM 15.0.0 has a NULL pointer dereference in the parseOneMetadata() function via a crafted pdflatex.fmt file (or perhaps a crafted .o file) to llvm-lto. NOTE: this is disputed because the relationship between pdflatex.fmt and any LLVM language front end is not explained, and because a crash of the llvm-lto application should be categorized as a usability problem. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46049 https://www.cve.org/CVERecord?id=CVE-2023-46049 http://seclists.org/fulldisclosure/2024/Jan/66 https://github.com/llvm/llvm-project/issues/67388 https://llvm.org/docs/Security.html
Barely a security issue if at all. Anyhow, the fix seems trivial: https://github.com/llvm/llvm-project/commit/c2515a8f2be5dd23354c9891f41ad104000f88c4
llvm-lto is part of the llvm15 package which isn't shipped to SLES customers, only libLLVM15 is. llvm15 is available via PackageHub on some codestreams but as such unsupported: Information for package llvm15: ------------------------------- Repository : SLE-Module-Packagehub-Subpackages15-SP5-Updates Name : llvm15 Version : 15.0.7-150500.4.4.1 Arch : x86_64 Vendor : SUSE LLC <https://www.suse.com/> Support Level : unsupported Installed Size : 11.6 MiB Installed : Yes Status : up-to-date Source package : llvm15-15.0.7-150500.4.4.1.src Upstream URL : https://www.llvm.org/ Summary : Low Level Virtual Machine Description : LLVM is a compiler infrastructure designed for compile-time, link-time, runtime, and idle-time optimization of programs from arbitrary programming languages. The compiler infrastructure includes mirror sets of programming tools as well as libraries with equivalent functionality. apart from the fact that this is of course is not a security issue at all. llvm15 is no longer maintained upstream either.