[med-svn] [Git][med-team/hnswlib][master] 7 commits: cve-2023-37365.patch: new: fix CVE-2023-37365.

Wed Jul 19 08:45:06 BST 2023


Étienne Mollier pushed to branch master at Debian Med / hnswlib


Commits:
1b778ce2 by Étienne Mollier at 2023-07-19T09:01:06+02:00
cve-2023-37365.patch: new: fix CVE-2023-37365.

This is done by capping M to 10000 per discussion with upstream.

Closes: #1041426

- - - - -
926f0cbc by Étienne Mollier at 2023-07-19T09:33:13+02:00
d/t/run-unit-test: adjust to new source layout.

- - - - -
76e7af32 by Étienne Mollier at 2023-07-19T09:34:21+02:00
update changelog.

- - - - -
604fee24 by Étienne Mollier at 2023-07-19T09:35:12+02:00
d/copyright: update reference to sift_1b.cpp.

- - - - -
ca8e523a by Étienne Mollier at 2023-07-19T09:42:56+02:00
d/t/run-unit-test: test agains all supported python3 versions.

- - - - -
d898b51d by Étienne Mollier at 2023-07-19T09:43:45+02:00
d/control: add myself to uploaders.

- - - - -
0c719495 by Étienne Mollier at 2023-07-19T09:44:37+02:00
ready to upload to unstable.

- - - - -


6 changed files:

- debian/changelog
- debian/control
- debian/copyright
- + debian/patches/cve-2023-37365.patch
- debian/patches/series
- debian/tests/run-unit-test


Changes:

=====================================
debian/changelog
=====================================
@@ -1,11 +1,19 @@
-hnswlib (0.7.0-1) UNRELEASED; urgency=medium
+hnswlib (0.7.0-1) unstable; urgency=medium
 
-  * Team upload.
+  [ Andreas Tille ]
   * New upstream version
   * Standards-Version: 4.6.2 (routine-update)
-  TODO: Check autopkgtest
 
- -- Andreas Tille <tille at debian.org>  Wed, 12 Jul 2023 21:37:27 +0200
+  [ Étienne Mollier ]
+  * cve-2023-37365.patch: new: fix CVE-2023-37365.
+    This is done by capping M to 10000 per discussion with upstream.
+    (Closes: #1041426)
+  * d/t/run-unit-test: adjust to new source layout.
+  * d/copyright: update reference to sift_1b.cpp.
+  * d/t/run-unit-test: test agains all supported python3 versions.
+  * d/control: add myself to uploaders.
+
+ -- Étienne Mollier <emollier at debian.org>  Wed, 19 Jul 2023 09:44:03 +0200
 
 hnswlib (0.6.2-2) unstable; urgency=medium
 


=====================================
debian/control
=====================================
@@ -2,7 +2,8 @@ Source: hnswlib
 Section: science
 Priority: optional
 Maintainer: Debian Med Packaging Team <debian-med-packaging at lists.alioth.debian.org>
-Uploaders: Steffen Moeller <moeller at debian.org>
+Uploaders: Steffen Moeller <moeller at debian.org>,
+           Étienne Mollier <emollier at debian.org>
 Build-Depends: debhelper-compat (= 13),
                dh-python,
                python3-all-dev,


=====================================
debian/copyright
=====================================
@@ -11,7 +11,7 @@ Copyright: Yury Malkov
            Louis Abraham ([@louisabraham](https://github.com/louisabraham))
 License: Apache-2.0
 
-Files: sift_1b.cpp
+Files: tests/cpp/sift_1b.cpp
 Copyright: David Robert Nadeau
 Comment: The code is available at http://NadeauSoftware.com/
 License: CC-BY-3.0


=====================================
debian/patches/cve-2023-37365.patch
=====================================
@@ -0,0 +1,40 @@
+Description: hnswalg.h: cap M to 10000 (CVE-2023-37365)
+ This patch works around issue nmslib#467, also referenced as CVE-2023-37365,
+ by implementing Yury Malkov's suggestion about capping the M value,
+ coding the maximum number of outgoing connections in the graph, to a
+ reasonable enough value of the order of 10000.  For the record, the
+ documentation indicates reasonable values for M range from 2 to 100,
+ which are well within the cap; see ALGO_PARAMS.md.
+ .
+ The reproducer shown in issue nmslib#467 doesn't trigger the double free
+ condition anymore after this change is applied, but completes
+ successfully, although with the below warning popping up on purpose:
+ .
+  warning: M parameter exceeds 10000 which may lead to adverse effects.
+           Cap to 10000 will be applied for the rest of the processing.
+
+Author: Étienne Mollier <emollier at debian.org>
+Bug: https://github.com/nmslib/hnswlib/issues/467
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426
+Forwarded: https://github.com/nmslib/hnswlib/pull/484
+Reviewed-by: Yury Malkov <yurymalkov at mail.ru>
+Last-Update: 2023-07-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- hnswlib.orig/hnswlib/hnswalg.h
++++ hnswlib/hnswlib/hnswalg.h
+@@ -102,7 +102,13 @@
+         data_size_ = s->get_data_size();
+         fstdistfunc_ = s->get_dist_func();
+         dist_func_param_ = s->get_dist_func_param();
+-        M_ = M;
++        if ( M <= 10000 ) {
++            M_ = M;
++        } else {
++            std::cerr << "warning: M parameter exceeds 10000 which may lead to adverse effects." << std::endl;
++            std::cerr << "         Cap to 10000 will be applied for the rest of the processing." << std::endl;
++            M_ = 10000;
++        }
+         maxM_ = M_;
+         maxM0_ = M_ * 2;
+         ef_construction_ = std::max(ef_construction, M_);


=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@ cassert.patch
 noTwine.patch
 use-shared-while-linking.patch
 do-not-use-native-flags.patch
+cve-2023-37365.patch


=====================================
debian/tests/run-unit-test
=====================================
@@ -11,7 +11,13 @@ if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
 fi
 
 cp -a ${CUR_DIR}/python_bindings/* "${AUTOPKGTEST_TMP}"
+cp -r ${CUR_DIR}/tests "${AUTOPKGTEST_TMP}"
 
 cd "${AUTOPKGTEST_TMP}"
-python3 -m unittest -v tests/*
-
+for python3 in $(py3versions --supported)
+do
+	$python3 -m unittest discover \
+		--start-directory tests/python \
+		--pattern "bindings_test*.py" \
+		-v
+done



View it on GitLab: https://salsa.debian.org/med-team/hnswlib/-/compare/49b2c03518ad486fb65eef8b4560b682749adc5e...0c719495d411e91d3092f6598154d37cf00092a9

-- 
View it on GitLab: https://salsa.debian.org/med-team/hnswlib/-/compare/49b2c03518ad486fb65eef8b4560b682749adc5e...0c719495d411e91d3092f6598154d37cf00092a9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20230719/2b2c6112/attachment-0001.htm>
