More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2301820 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
There's not enough context here for me to tell anything. How does an integer overflow in a kernel driver have any relationship to Apache Arrow libraries running in user space?
Looking at https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38986, the CVE is not in the kernel but in https://github.com/75lb/deep-merge combined with https://lodash.com/ . I know the CVE bug-filing scripts are frustratingly trigger-happy, and will file bugs related to anything they can find in a package.json or package-lock.json in your package’s source tree, even example code that isn’t installed. You can try grepping the source tree for "deep-merge" and "lodash" to make an educated guess at what’s triggering the bug-filing script. If you don’t ship any JavaScript in any of the subpackages, this is pretty much guaranteed to be NOTABUG. If you do ship JavaScript, maybe it merits investigation. (This is just a drive-by helpful comment. I have no influence over the filing of these bugs.)
No javascript
(In reply to Kaleb KEITHLEY from comment #1) > There's not enough context here for me to tell anything. > > How does an integer overflow in a kernel driver have any relationship to > Apache Arrow libraries running in user space? Thanks for review,