bug-gsl
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerability Report - Integer Overflow in libgsl


From: Patrick Alken
Subject: Re: Vulnerability Report - Integer Overflow in libgsl
Date: Tue, 29 Oct 2024 23:04:41 -0400
User-agent: Mozilla Thunderbird

Hi all, I have been getting the emails, but I need a few days to look into this. This week is very busy! Thanks for working on this

On 10/28/24 21:55, Marc Sunet wrote:
[External email - use caution]


I emailed Patrick a patch when Silvia reported the bug, but my emails
might be going to spam.

The GSL library seems to use GSL_ERROR_VAL() to report invalid function
arguments, so this is the patch I sent:

diff --git a/siman/siman.c b/siman/siman.c
index 65b9177f..017a5e26 100644
--- a/siman/siman.c
+++ b/siman/siman.c
@@ -202,6 +202,10 @@ gsl_siman_solve_many (const gsl_rng * r, void
*x0_p, gsl_siman_Efunc_t Ef,
     printf ("         delta_pos        energy\n");
   }

+  if (params.n_tries <= 0) {
+    GSL_ERROR_VAL ("tries must be > 0", GSL_EINVAL, params.n_tries);
+  }
+
   x = (void *) malloc (params.n_tries * element_size);
   new_x = (void *) malloc (params.n_tries * element_size);
   energies = (double *) malloc (params.n_tries * sizeof (double));

On 10/28/24 16:01, Dirk Eddelbuettel wrote:
On 28 October 2024 at 16:02, Dirk Eddelbuettel wrote:
|
| This is apparently now CVE-2024-50610 [1], I was just pinged (as the Debian
| maintainer) by the Debian security team.
|
| Does the GSL team have a view on the preferred fix?  Bracket the allocation
| with an if (non_negative) { ... } block as suggested?

Patch proposal:


--- gsl-2.8+dfsg.orig/siman/siman.c
+++ gsl-2.8+dfsg/siman/siman.c
@@ -197,6 +197,9 @@ gsl_siman_solve_many (const gsl_rng * r,
    double u;                     /* throw the die to choose a new "x" */
    int n_iter;

+  /* this function requires that n_tries be positive */
+  assert(params.n_tries > 0);
+
    if (print_position) {
      printf ("#-iter    temperature       position");
      printf ("         delta_pos        energy\n");


The test program then aborts:

# gcc gsl_cve_ex.c -o gsl_cve_ex -lgsl
# ./gsl_cve_ex
gsl_cve_ex: siman.c:201: gsl_siman_solve_many: Assertion `params.n_tries > 0' failed.
Aborted (core dumped)
#

Dirk





reply via email to

[Prev in Thread] Current Thread [Next in Thread]