Name | CVE-2021-4048 |
Description | An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1001902 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
lapack (PTS) | bullseye | 3.9.0-3+deb11u1 | vulnerable |
bookworm | 3.11.0-2 | fixed | |
sid, trixie | 3.12.0-4 | fixed | |
openblas (PTS) | bullseye | 0.3.13+ds-3+deb11u1 | vulnerable |
bookworm | 0.3.21+ds-4 | fixed | |
sid, trixie | 0.3.28+ds-4 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
lapack | source | (unstable) | 3.10.0-2 | 1001902 | ||
openblas | source | (unstable) | 0.3.18+ds-1 |
[bullseye] - lapack <no-dsa> (Minor issue)
[buster] - lapack <no-dsa> (Minor issue)
[stretch] - lapack <no-dsa> (Minor issue)
[bullseye] - openblas <no-dsa> (Minor issue)
[buster] - openblas <no-dsa> (Minor issue)
[stretch] - openblas <no-dsa> (Minor issue)
https://github.com/Reference-LAPACK/lapack/pull/625
https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781
https://github.com/JuliaLang/julia/issues/42415
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/337b65133df174796794871b3988cd03426e6d41 (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/2be5ee3cca97a597f2ee2118808a2d5eacea050c (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/fe497efa0510466fd93578aaf9da1ad8ed4edbe7 (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/ddb0ff5353637bb5f5ad060c9620e334c143e3d7 (v0.3.18)