[Debian-med-packaging] Bug#1041468: bookworm-pu: package hnswlib/0.6.2-2+deb12u1

Étienne Mollier emollier at debian.org
Wed Jul 19 11:04:04 BST 2023 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: hnswlib at packages.debian.org
Control: affects -1 + src:hnswlib

Hi Stable Release Managers,

[ Reason ]
hnswlib is affected by CVE-2023-37365 marked no-dsa, documented
through the important bug #1041426.  Quoting the CVE for short:
hnswlib has a double free in init_index when the M argument is a
large integer.

[ Impact ]
Users of hnswlib may encounter double-free crashes when
specifying randomly the M parameters to the software.

[ Tests ]
I verified the package built in a clean bookworm chroot, then
verified there were no autopkgtest regressions in bookworm, then
verified manualy that the reproducer did trigger the crash with
the current version in bookworm, and finally that the patched
version did not trigger the crash anymore, but instead raised
the warning message appropriately.

[ Risks ]
There is little risk as the change is relatively straightforward
but users who might like to set off-specifications values of the
M parameter may run into the self imposed limitation.  M is
documented to have values that make sense in a range from 2 to
100, and the patch sets a hard limit at 10000 per upstream
recommendation.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Changes mostly consists in applying a version of the patch
discussed with upstream[1] ported to hnswlib 0.6.2-2 in
bookworm.  Instead of forwarding the value of the argument M
as-is, the code now checks for the value to be lesser than 10000
before applying.  If the value is larger, then it is capped and
the library issues a warning.

[1]: https://github.com/nmslib/hnswlib/pull/484

[ Other info ]
It might have made sense to also set a check for M == 1, as it
will result in a crash, probably not as serious as the double
free though:

	Traceback (most recent call last):
	  File "<stdin>", line 1, in <module>
	RuntimeError: Not enough memory: addPoint failed to allocate linklist

M == 0 looks to behave, or has a special meaning.  In doubt, I
prefer leaving as-is.

Last info, lintian loudly complained at the distribution field,
but looking at the Developer Reference, the field seemed good,
so if there is anything I need to change, don't hesitate to
tell:

	E: hnswlib changes: bad-distribution-in-changes-file bookworm

Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier at debian.org>
 : :' :  gpg: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/4, please excuse my verbosity
   `-    on air: Chroma Key - Human Love
-------------- next part --------------
diff -Nru hnswlib-0.6.2/debian/changelog hnswlib-0.6.2/debian/changelog
--- hnswlib-0.6.2/debian/changelog	2022-10-12 16:11:36.000000000 +0200
+++ hnswlib-0.6.2/debian/changelog	2023-07-19 10:27:07.000000000 +0200
@@ -1,3 +1,12 @@
+hnswlib (0.6.2-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * cve-2023-37365.patch: new: fix CVE-2023-37365.
+    This is done by capping M to 10000 per discussion with upstream.
+    (Closes: #1041426)
+
+ -- Étienne Mollier <emollier at debian.org>  Wed, 19 Jul 2023 10:27:07 +0200
+
 hnswlib (0.6.2-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru hnswlib-0.6.2/debian/patches/cve-2023-37365.patch hnswlib-0.6.2/debian/patches/cve-2023-37365.patch
--- hnswlib-0.6.2/debian/patches/cve-2023-37365.patch	1970-01-01 01:00:00.000000000 +0100
+++ hnswlib-0.6.2/debian/patches/cve-2023-37365.patch	2023-07-19 10:24:55.000000000 +0200
@@ -0,0 +1,40 @@
+Description: hnswalg.h: cap M to 10000 (CVE-2023-37365)
+ This patch works around issue nmslib#467, also referenced as CVE-2023-37365,
+ by implementing Yury Malkov's suggestion about capping the M value,
+ coding the maximum number of outgoing connections in the graph, to a
+ reasonable enough value of the order of 10000.  For the record, the
+ documentation indicates reasonable values for M range from 2 to 100,
+ which are well within the cap; see ALGO_PARAMS.md.
+ .
+ The reproducer shown in issue nmslib#467 doesn't trigger the double free
+ condition anymore after this change is applied, but completes
+ successfully, although with the below warning popping up on purpose:
+ .
+  warning: M parameter exceeds 10000 which may lead to adverse effects.
+           Cap to 10000 will be applied for the rest of the processing.
+
+Author: Étienne Mollier <emollier at debian.org>
+Bug: https://github.com/nmslib/hnswlib/issues/467
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426
+Forwarded: https://github.com/nmslib/hnswlib/pull/484
+Reviewed-by: Yury Malkov <yurymalkov at mail.ru>
+Last-Update: 2023-07-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- hnswlib.orig/hnswlib/hnswalg.h
++++ hnswlib/hnswlib/hnswalg.h
+@@ -33,7 +33,13 @@
+             data_size_ = s->get_data_size();
+             fstdistfunc_ = s->get_dist_func();
+             dist_func_param_ = s->get_dist_func_param();
+-            M_ = M;
++            if ( M <= 10000 ) {
++                M_ = M;
++            } else {
++                std::cerr << "warning: M parameter exceeds 10000 which may lead to adverse effects." << std::endl;
++                std::cerr << "         Cap to 10000 will be applied for the rest of the processing." << std::endl;
++                M_ = 10000;
++            }
+             maxM_ = M_;
+             maxM0_ = M_ * 2;
+             ef_construction_ = std::max(ef_construction,M_);
diff -Nru hnswlib-0.6.2/debian/patches/series hnswlib-0.6.2/debian/patches/series
--- hnswlib-0.6.2/debian/patches/series	2022-10-12 16:11:36.000000000 +0200
+++ hnswlib-0.6.2/debian/patches/series	2023-07-19 10:23:46.000000000 +0200
@@ -2,3 +2,4 @@
 noTwine.patch
 use-shared-while-linking.patch
 do-not-use-native-flags.patch
+cve-2023-37365.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20230719/5b9760af/attachment-0001.sig>

More information about the Debian-med-packaging mailing list