CVE-2021-4048

NameCVE-2021-4048
DescriptionAn out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs1001902

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lapack (PTS)buster3.8.0-2vulnerable
bullseye3.9.0-3vulnerable
bookworm, sid3.10.1-2fixed
openblas (PTS)buster0.3.5+ds-3vulnerable
bullseye0.3.13+ds-3vulnerable
bookworm, sid0.3.20+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lapacksource(unstable)3.10.0-21001902
openblassource(unstable)0.3.18+ds-1

Notes

[bullseye] - lapack <no-dsa> (Minor issue)
[buster] - lapack <no-dsa> (Minor issue)
[stretch] - lapack <no-dsa> (Minor issue)
[bullseye] - openblas <no-dsa> (Minor issue)
[buster] - openblas <no-dsa> (Minor issue)
[stretch] - openblas <no-dsa> (Minor issue)
https://github.com/Reference-LAPACK/lapack/pull/625
https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781
https://github.com/JuliaLang/julia/issues/42415
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/337b65133df174796794871b3988cd03426e6d41 (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/2be5ee3cca97a597f2ee2118808a2d5eacea050c (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/fe497efa0510466fd93578aaf9da1ad8ed4edbe7 (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/ddb0ff5353637bb5f5ad060c9620e334c143e3d7 (v0.3.18)

Search for package or bug name: Reporting problems