Fix out of bounds read in *larrv, CVE-2021-4048

38f3eeee3108b18158409ca2a100e6fe03754781.patch

@@ -0,0 +1,78 @@
+From 0631b6beaed60ba118b0b027c0f8d35397bf5df0 Mon Sep 17 00:00:00 2001
+From: Keno Fischer <keno@juliacomputing.com>
+Date: Thu, 30 Sep 2021 03:51:23 -0400
+Subject: [PATCH] Fix out of bounds read in slarrv
+
+This was originally reported as https://github.com/JuliaLang/julia/issues/42415.
+I've tracked this down to an our of bounds read on the following line:
+
+https://github.com/Reference-LAPACK/lapack/blob/44ecb6a5ff821b1cbb39f8cc2166cb098e060b4d/SRC/slarrv.f#L423
+
+In the crashing example, `M` is `0`, causing `slarrv` to read uninitialized
+memory from the work array. I believe the `0` for `M` is correct and indeed,
+the documentation above supports that `M` may be zero:
+
+https://github.com/Reference-LAPACK/lapack/blob/44ecb6a5ff821b1cbb39f8cc2166cb098e060b4d/SRC/slarrv.f#L113-L116
+
+I believe it may be sufficient to early-out this function as suggested
+in this PR. However, I have limited context for the full routine here,
+so I would appreciate a sanity check.
+---
+ SRC/clarrv.f | 2 +-
+ SRC/dlarrv.f | 2 +-
+ SRC/slarrv.f | 2 +-
+ SRC/zlarrv.f | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/SRC/clarrv.f b/SRC/clarrv.f
+index 1f09e4da6..42f710757 100644
+--- a/SRC/clarrv.f
++++ b/SRC/clarrv.f
+@@ -348,7 +348,7 @@ SUBROUTINE CLARRV( N, VL, VU, D, L, PIVMIN,
+ *
+ *     Quick return if possible
+ *
+-      IF( N.LE.0 ) THEN
++      IF( (N.LE.0).OR.(M.LE.0) ) THEN
+          RETURN
+       END IF
+ *
+diff --git a/SRC/dlarrv.f b/SRC/dlarrv.f
+index b036c1e66..299430361 100644
+--- a/SRC/dlarrv.f
++++ b/SRC/dlarrv.f
+@@ -350,7 +350,7 @@ SUBROUTINE DLARRV( N, VL, VU, D, L, PIVMIN,
+ *
+ *     Quick return if possible
+ *
+-      IF( N.LE.0 ) THEN
++      IF( (N.LE.0).OR.(M.LE.0) ) THEN
+          RETURN
+       END IF
+ *
+diff --git a/SRC/slarrv.f b/SRC/slarrv.f
+index 9d72b339a..95f94fd1b 100644
+--- a/SRC/slarrv.f
++++ b/SRC/slarrv.f
+@@ -350,7 +350,7 @@ SUBROUTINE SLARRV( N, VL, VU, D, L, PIVMIN,
+ *
+ *     Quick return if possible
+ *
+-      IF( N.LE.0 ) THEN
++      IF( (N.LE.0).OR.(M.LE.0) ) THEN
+          RETURN
+       END IF
+ *
+diff --git a/SRC/zlarrv.f b/SRC/zlarrv.f
+index 51ec558f5..e4be63e0d 100644
+--- a/SRC/zlarrv.f
++++ b/SRC/zlarrv.f
+@@ -348,7 +348,7 @@ SUBROUTINE ZLARRV( N, VL, VU, D, L, PIVMIN,
+ *
+ *     Quick return if possible
+ *
+-      IF( N.LE.0 ) THEN
++      IF( (N.LE.0).OR.(M.LE.0) ) THEN
+          RETURN
+       END IF
+ *

lapack.spec

@@ -13,13 +13,17 @@
 Summary: Numerical linear algebra package libraries
 Name: lapack
 Version: %{mediumver}.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: BSD
 URL: http://www.netlib.org/lapack/
 Source0: https://github.com/Reference-LAPACK/lapack/archive/v%{version}.tar.gz
 Source1: http://www.netlib.org/lapack/manpages.tgz
 Source4: http://www.netlib.org/lapack/lapackqref.ps
 Source5: http://www.netlib.org/blas/blasqr.ps
+# Fixes out of bounds read in *larrv
+# CVE-2021-4048
+Patch0: https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781.patch
+
 BuildRequires: gcc-gfortran, gawk
 BuildRequires: make, cmake
 Requires: blas%{?_isa} = %{version}-%{release}
@@ -111,6 +115,7 @@ This build has 64bit INTEGER support and a symbol name suffix.
 %prep
 %setup -q
 %setup -q -D -T -a1
+%patch0 -p1 -b .CVE-2021-4048
 
 mkdir manpages
 mv man/ manpages/
@@ -393,6 +398,9 @@ cp -f manpages/man/man3/* ${RPM_BUILD_ROOT}%{_mandir}/man3
 %endif
 
 %changelog
+* Wed Dec  8 2021 Tom Callaway <spot@fedoraproject.org> - 3.10.0-4
+- Fix out of bounds read in *larrv, CVE-2021-4048
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild