Fix out of bounds read in ?llarv (Reference-LAPACK PR 625)

(CVE-2021-4048) Resolves: #2029855
2022-01-11 12:57:25 +01:00 · 2022-01-11 12:57:25 +01:00 · ce892e37a7
commit ce892e37a7
parent 62ae8a3b91
2 changed files with 36 additions and 1 deletions
--- a/openblas-0.3.15-out-of-bounds-read.patch
+++ b/openblas-0.3.15-out-of-bounds-read.patch
@ -0,0 +1,27 @@
+From 337b65133df174796794871b3988cd03426e6d41 Mon Sep 17 00:00:00 2001
+From: Martin Kroeker <martin@ruby.chemie.uni-freiburg.de>
+Date: Fri, 1 Oct 2021 11:19:53 +0200
+Subject: [PATCH] Fix out of bounds read in ?llarv (Reference-LAPACK PR 625)
+
+Resolves: CVE-2021-4048
+
+---
+ lapack-netlib/SRC/zlarrv.f | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lapack-netlib/SRC/zlarrv.f b/lapack-netlib/SRC/zlarrv.f
+index 23976dbe..8d10e3c2 100644
+--- a/lapack-netlib/SRC/zlarrv.f
+++ b/lapack-netlib/SRC/zlarrv.f
+@@ -351,7 +351,7 @@
+ *
+ *     Quick return if possible
+ *
+-      IF( N.LE.0 ) THEN
+      IF( (N.LE.0).OR.(M.LE.0) ) THEN
+          RETURN
+       END IF
+ *
+-- 
+2.33.1
+
--- a/openblas.spec
+++ b/openblas.spec
@ -15,7 +15,7 @@

 Name:           openblas
 Version:        0.3.15
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        An optimized BLAS library based on GotoBLAS2
 License:        BSD
 URL:            https://github.com/xianyi/OpenBLAS/
@ -28,6 +28,8 @@ Patch1:         openblas-0.2.5-libname.patch
 Patch2:         openblas-0.2.15-constructor.patch
 # Supply the proper flags to the test makefile
 Patch3:         openblas-0.3.11-tests.patch
+# Fix out of bounds read in ?llarv (Reference-LAPACK PR 625)
+Patch4:         openblas-0.3.15-out-of-bounds-read.patch

 BuildRequires: make
 BuildRequires:  gcc
@ -241,6 +243,7 @@ cd OpenBLAS-%{version}
 %patch2 -p1 -b .constructor
 %endif
 %patch3 -p1 -b .tests
+%patch4 -p1 -b .out-of-bound-read

 # Fix source permissions
 find -name \*.f -exec chmod 644 {} \;
@ -646,6 +649,11 @@ rm -rf %{buildroot}%{_libdir}/pkgconfig
 %endif

 %changelog
+* Tue Jan 11 2022 Honza Horak <hhorak@redhat.com> - 0.3.15-3
+- Fix out of bounds read in ?llarv (Reference-LAPACK PR 625)
+  (CVE-2021-4048)
+  Resolves: #2029855
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.3.15-2
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688