Bug 2024358 (CVE-2021-4048)

Summary: CVE-2021-4048 lapack: Out-of-bounds read in *larrv
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, anharris, aos-bugs, bniver, caswilli, flucifre, frantisek.kluknavsky, gmeno, hchiramm, hvyas, jamartis, jburrell, kaycoth, madam, mbenjamin, mhackett, mmuzila, nforro, ocs-bugs, rfreiman, security-response-team, sostapov, spotrh, susi.lehtola, tnielsen, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openblas 0.3.18 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack and OpenBLAS. A specially crafted input passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-03 20:16:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2024365, 2030822, 2093179, 2024361, 2024362, 2024363, 2024364, 2024366, 2029851, 2029854, 2029855, 2029856, 2029857, 2030823, 2258839    
Bug Blocks: 2024359, 2030461    

Description Sage McTaggart 2021-11-17 22:46:21 UTC 
OpenBLAS contains an out-of-bounds read error in the zlarrv.f library that occurs when user input is not validated properly. This could allow a remote attacker to crash the process associated with the library, or potentially expose the contents of memory by executing arbitrary code.

Reference:

https://vulndb.cyberriskanalytics.com/vulnerabilities/270365
Comment 3 Tomas Hoger 2021-11-19 12:33:18 UTC 
There's only limited amount of information currently included in this report.  Using what's available - file name zlarrv.f and information that the issue should be fixed in openblas 0.3.18 led me to this openblas upstream commit:

https://github.com/xianyi/OpenBLAS/commit/337b65133df174796794871b3988cd03426e6d41

This fix is for the lapack library bundled in openblas, and references the following lapack upstream issue and commit:

https://github.com/Reference-LAPACK/lapack/pull/625
https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781

which points to the original report:

https://github.com/JuliaLang/julia/issues/42415

When porting the fix from lapack to openblas, the patch was split to 4 separate commits.  In addition to the one listed above for zlarrv.f, other commits are:

https://github.com/xianyi/OpenBLAS/commit/2be5ee3cca97a597f2ee2118808a2d5eacea050c
https://github.com/xianyi/OpenBLAS/commit/fe497efa0510466fd93578aaf9da1ad8ed4edbe7
https://github.com/xianyi/OpenBLAS/commit/ddb0ff5353637bb5f5ad060c9620e334c143e3d7
Comment 4 Tomas Hoger 2021-11-30 21:47:22 UTC 
There is no released fixed lapack version yet - the current release is 3.10.0 that was released before this fix was made.
Comment 5 Tomas Hoger 2021-11-30 22:09:21 UTC 
The lapack and openblas packages included in Red Hat Enterprise Linux are not widely used by other packages in the distribution.  There's no package requiring lapack in Red Hat Enterprise Linux 8.  The openblas package in Red Hat Enterprise Linux 8 is only directly required by opencv (which is used by frei0r-plugins and hence gnome-video-effects) and Python numpy and scipy modules (which use openblas in their numpy.linalg and scipy.linalg submodules).
Comment 6 Tomas Hoger 2021-12-07 13:15:58 UTC 
Making this public.  Fixes in lapack and openblas have been public since end of Sep / early Oct.  Only the VulnDB entry is not publicly visible, but will likely remain restricted to customers of the service.
Comment 7 Tomas Hoger 2021-12-07 13:16:15 UTC 
Created lapack tracking bugs for this issue:

Affects: fedora-all [bug 2029851]
Comment 12 errata-xmlrpc 2022-11-08 09:59:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7639 https://access.redhat.com/errata/RHSA-2022:7639
Comment 13 Product Security DevOps Team 2022-12-03 20:16:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4048
Comment 14 errata-xmlrpc 2023-11-08 18:49:19 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2023:6832 https://access.redhat.com/errata/RHSA-2023:6832