[From nobody Tue May 26 11:07:19 2026
Received: (at submit) by bugs.debian.org; 24 Apr 2025 07:44:21 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
 (2021-04-09) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-129.8 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_CONTROL_REASSIGN,BODY_INCLUDES_CONTROL_RETITLE,
 DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FOURLA,
 FROMDEVELOPER,SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,
 USER_IN_DKIM_WELCOMELIST,USER_IN_DKIM_WHITELIST,XMAILER_REPORTBUG
 autolearn=ham autolearn_force=no
 version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 41; hammy, 150; neutral, 94; spammy,
 0. spammytokens:
 hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
 0.000-+--H*RT:311, 0.000-+--H*RT:108
Return-path: &lt;carnil@debian.org&gt;
Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:51266)
 from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA,
 CN=stravinsky.debian.org, EMAIL=hostmaster@stravinsky.debian.org (verified)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.94.2) (envelope-from &lt;carnil@debian.org&gt;) id 1u7rFt-00D3sP-D7
 for submit@bugs.debian.org; Thu, 24 Apr 2025 07:44:21 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; 
 s=smtpauto.stravinsky;
 h=X-Debian-User:Date:Message-ID:Subject:To:From:
 Content-Transfer-Encoding:MIME-Version:Content-Type:Reply-To:Cc:Content-ID:
 Content-Description:In-Reply-To:References;
 bh=ayBPomxHELoZAcGwEJDKKzPAV8OPk2fi1D+GFfw+tHc=; b=c7fsmduDDplJpk+1jK5w50ex48
 PcJR/xzvtw7R5lrMxfxI35/+sWG+BWXxcIVhGBKhfVyp9oC8XOTbsUEhXKK1qxreLQjOU5Tn06M2N
 4upuJbpIrwDVfm/XhoM17W9nP7eYnXJrKQfCNya4oH6NHQX5EowfwHBz8yG/06HKBrDdYrZRzjH9S
 Kl7iwzTrOY7zOEga2yXviMtiR0rR5XjNgzv8CFWYIu0U6vNzfGbi+8IZ+jCNXqU6qQDjnBbRbDEVM
 PLNt6joxwR7X0iUurRv0h84LAvYT2+7T53kwFrX9Jks/3yjN6RBesElnR5EmtlGg/6uoNMyPuW3rv
 LnSbIOrQ==;
Received: from authenticated user by stravinsky.debian.org with esmtpsa
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.94.2) (envelope-from &lt;carnil@debian.org&gt;) id 1u7rFq-00BDpk-L6
 for submit@bugs.debian.org; Thu, 24 Apr 2025 07:44:19 +0000
Received: from eldamar.lan (localhost [IPv6:::1])
 by eldamar.lan (Postfix) with ESMTP id 12BB2BE2DE0
 for &lt;submit@bugs.debian.org&gt;; Thu, 24 Apr 2025 09:44:18 +0200 (CEST)
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: llvm-toolchain-19: CVE-2024-7883
Message-ID: &lt;174548065801.2160037.3945312902220793913.reportbug@eldamar.lan&gt;
X-Mailer: reportbug 13.1.0
Date: Thu, 24 Apr 2025 09:44:18 +0200
X-Debian-User: carnil
Delivered-To: submit@bugs.debian.org

Source: llvm-toolchain-19
Version: 1:19.1.7-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;
Control: clone -1 -2 -3 -4
Control: reassign -2 src:llvm-toolchain-18 1:18.1.8-17
Control: retitle -2 llvm-toolchain-18: CVE-2024-7883
Control: reassing -3 src:llvm-toolchain-17 1:17.0.6-21
Control: retitle -3 llvm-toolchain-17: CVE-2024-7883
Control: reassign -4 src:llvm-toolchain-14 1:14.0.6-20
Control: retitle -4 llvm-toolchain-14: CVE-2024-7883

Hi,

The following vulnerability was published for llvm-toolchain-*.

CVE-2024-7883[0]:
| When using Arm Cortex-M Security Extensions (CMSE), Secure stack
| contents can be leaked to Non-secure state via floating-point
| registers  when a Secure to Non-secure function call is made that
| returns a  floating-point value and when this is the first use of
| floating-point  since entering Secure state. This allows an attacker
| to read a limited  quantity of Secure stack contents with an impact
| on confidentiality.  This issue is specific to code generated using
| LLVM-based compilers.

This is more for tracking ad I do not expect we can have it fixed in
the respective other branches than 20.x.

In case it i still fixed:

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-7883
    https://www.cve.org/CVERecord?id=CVE-2024-7883
[1] https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2322994
[3] https://github.com/llvm/llvm-project/pull/114433

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
]