From 8a8fd4d3bac82028277a80bfec7ee7b819c336b8 Mon Sep 17 00:00:00 2001 From: zhouwenpei Date: Mon, 20 Dec 2021 16:47:45 +0800 Subject: [PATCH] fix CVE-2021-4048 --- ...s-read-in-llarv-Reference-LAPACK-PR-.patch | 26 ++++++++++++++++++ ...s-read-in-llarv-Reference-LAPACK-PR-.patch | 26 ++++++++++++++++++ ...s-read-in-llarv-Reference-LAPACK-PR-.patch | 26 ++++++++++++++++++ ...s-read-in-llarv-Reference-LAPACK-PR-.patch | 27 +++++++++++++++++++ openblas.spec | 13 ++++++++- 5 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch create mode 100644 0002-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch create mode 100644 0003-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch create mode 100644 0004-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch diff --git a/0001-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch b/0001-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch new file mode 100644 index 0000000..c7dc615 --- /dev/null +++ b/0001-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch @@ -0,0 +1,26 @@ +From 2be5ee3cca97a597f2ee2118808a2d5eacea050c Mon Sep 17 00:00:00 2001 +From: Martin Kroeker +Date: Fri, 1 Oct 2021 11:17:21 +0200 +Subject: [PATCH 1/4] Fix out of bounds read in ?llarv (Reference-LAPACK PR + 625) + +--- + lapack-netlib/SRC/clarrv.f | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lapack-netlib/SRC/clarrv.f b/lapack-netlib/SRC/clarrv.f +index a45f55ac..26a9febc 100644 +--- a/lapack-netlib/SRC/clarrv.f ++++ b/lapack-netlib/SRC/clarrv.f +@@ -351,7 +351,7 @@ + * + * Quick return if possible + * +- IF( N.LE.0 ) THEN ++ IF( (N.LE.0) .OR. (M.LE.0) ) THEN + RETURN + END IF + * +-- +2.27.0 + diff --git a/0002-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch b/0002-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch new file mode 100644 index 0000000..339714d --- /dev/null +++ b/0002-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch @@ -0,0 +1,26 @@ +From fe497efa0510466fd93578aaf9da1ad8ed4edbe7 Mon Sep 17 00:00:00 2001 +From: Martin Kroeker +Date: Fri, 1 Oct 2021 11:18:20 +0200 +Subject: [PATCH 2/4] Fix out of bounds read in ?llarv (Reference-LAPACK PR + 625) + +--- + lapack-netlib/SRC/dlarrv.f | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lapack-netlib/SRC/dlarrv.f b/lapack-netlib/SRC/dlarrv.f +index 4a59a2bb..a1c6e9c9 100644 +--- a/lapack-netlib/SRC/dlarrv.f ++++ b/lapack-netlib/SRC/dlarrv.f +@@ -353,7 +353,7 @@ + * + * Quick return if possible + * +- IF( N.LE.0 ) THEN ++ IF( (N.LE.0).OR.(M.LE.0) ) THEN + RETURN + END IF + * +-- +2.27.0 + diff --git a/0003-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch b/0003-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch new file mode 100644 index 0000000..88581cd --- /dev/null +++ b/0003-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch @@ -0,0 +1,26 @@ +From ddb0ff5353637bb5f5ad060c9620e334c143e3d7 Mon Sep 17 00:00:00 2001 +From: Martin Kroeker +Date: Fri, 1 Oct 2021 11:19:07 +0200 +Subject: [PATCH 3/4] Fix out of bounds read in ?llarv (Reference-LAPACK PR + 625) + +--- + lapack-netlib/SRC/slarrv.f | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lapack-netlib/SRC/slarrv.f b/lapack-netlib/SRC/slarrv.f +index 04519fde..9448b2fd 100644 +--- a/lapack-netlib/SRC/slarrv.f ++++ b/lapack-netlib/SRC/slarrv.f +@@ -353,7 +353,7 @@ + * + * Quick return if possible + * +- IF( N.LE.0 ) THEN ++ IF( (N.LE.0).OR.(M.LE.0) ) THEN + RETURN + END IF + * +-- +2.27.0 + diff --git a/0004-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch b/0004-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch new file mode 100644 index 0000000..40c00c6 --- /dev/null +++ b/0004-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch @@ -0,0 +1,27 @@ +From 337b65133df174796794871b3988cd03426e6d41 Mon Sep 17 00:00:00 2001 +From: Martin Kroeker +Date: Fri, 1 Oct 2021 11:19:53 +0200 +Subject: [PATCH 4/4] Fix out of bounds read in ?llarv (Reference-LAPACK PR + 625) + + +--- + lapack-netlib/SRC/zlarrv.f | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lapack-netlib/SRC/zlarrv.f b/lapack-netlib/SRC/zlarrv.f +index 23976dbe..8d10e3c2 100644 +--- a/lapack-netlib/SRC/zlarrv.f ++++ b/lapack-netlib/SRC/zlarrv.f +@@ -351,7 +351,7 @@ + * + * Quick return if possible + * +- IF( N.LE.0 ) THEN ++ IF( (N.LE.0).OR.(M.LE.0) ) THEN + RETURN + END IF + * +-- +2.27.0 + diff --git a/openblas.spec b/openblas.spec index 40e1926..55bcbc7 100644 --- a/openblas.spec +++ b/openblas.spec @@ -2,7 +2,7 @@ Name: openblas Version: 0.3.13 -Release: 2 +Release: 3 Summary: An optimized BLAS library based on GotoBLAS2 1.13 BSD version License: BSD URL: https://github.com/xianyi/OpenBLAS/ @@ -10,6 +10,10 @@ Source0: https://github.com/xianyi/OpenBLAS/archive/v%{version}/openblas- Patch0000: openblas-0.2.15-system_lapack.patch Patch0001: openblas-0.2.5-libname.patch Patch0002: openblas-0.3.7-tests.patch +Patch0003: 0001-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch +Patch0004: 0002-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch +Patch0005: 0003-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch +Patch0006: 0004-Fix-out-of-bounds-read-in-llarv-Reference-LAPACK-PR-.patch Requires: %{name}-devel = %{version}-%{release} BuildRequires: gcc gcc-gfortran perl-devel gcc-c++ @@ -57,6 +61,10 @@ cd OpenBLAS-%{version} %endif %patch0001 -p1 -b .libname %patch0002 -p1 -b .tests +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 +%patch0006 -p1 # Set source permissions find -name \*.f -exec chmod 644 {} \; @@ -350,6 +358,9 @@ rm -rf %{buildroot}%{_libdir}/pkgconfig %{_libdir}/lib%{name}*64_.so %changelog +* Mon Dec 20 2021 zhouwenpei -0.3.13-3 +- fix CVE-2021-4048 + * Wed Jun 30 2021 zhouwenpei -0.3.13-2 - add buildrequire gcc-c++ -- Gitee