CVE-2021-4048

NameCVE-2021-4048
DescriptionAn out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1001902

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lapack (PTS)buster3.8.0-2vulnerable
bullseye3.9.0-3+deb11u1vulnerable
bookworm3.11.0-2fixed
sid, trixie3.12.0-3fixed
openblas (PTS)buster0.3.5+ds-3vulnerable
bullseye0.3.13+ds-3+deb11u1vulnerable
bookworm0.3.21+ds-4fixed
trixie0.3.26+ds-1fixed
sid0.3.27+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lapacksource(unstable)3.10.0-21001902
openblassource(unstable)0.3.18+ds-1

Notes

[bullseye] - lapack <no-dsa> (Minor issue)
[buster] - lapack <no-dsa> (Minor issue)
[stretch] - lapack <no-dsa> (Minor issue)
[bullseye] - openblas <no-dsa> (Minor issue)
[buster] - openblas <no-dsa> (Minor issue)
[stretch] - openblas <no-dsa> (Minor issue)
https://github.com/Reference-LAPACK/lapack/pull/625
https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781
https://github.com/JuliaLang/julia/issues/42415
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/337b65133df174796794871b3988cd03426e6d41 (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/2be5ee3cca97a597f2ee2118808a2d5eacea050c (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/fe497efa0510466fd93578aaf9da1ad8ed4edbe7 (v0.3.18)
OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/ddb0ff5353637bb5f5ad060c9620e334c143e3d7 (v0.3.18)
Search for package or bug name: Reporting problems