OpenBLAS contains an out-of-bounds read error in the zlarrv.f library that occurs when user input is not validated properly. This could allow a remote attacker to crash the process associated with the library, or potentially expose the contents of memory by executing arbitrary code.
There's only limited amount of information currently included in this report. Using what's available - file name zlarrv.f and information that the issue should be fixed in openblas 0.3.18 led me to this openblas upstream commit:
This fix is for the lapack library bundled in openblas, and references the following lapack upstream issue and commit:
which points to the original report:
When porting the fix from lapack to openblas, the patch was split to 4 separate commits. In addition to the one listed above for zlarrv.f, other commits are:
There is no released fixed lapack version yet - the current release is 3.10.0 that was released before this fix was made.
The lapack and openblas packages included in Red Hat Enterprise Linux are not widely used by other packages in the distribution. There's no package requiring lapack in Red Hat Enterprise Linux 8. The openblas package in Red Hat Enterprise Linux 8 is only directly required by opencv (which is used by frei0r-plugins and hence gnome-video-effects) and Python numpy and scipy modules (which use openblas in their numpy.linalg and scipy.linalg submodules).
Making this public. Fixes in lapack and openblas have been public since end of Sep / early Oct. Only the VulnDB entry is not publicly visible, but will likely remain restricted to customers of the service.
Created lapack tracking bugs for this issue:
Affects: fedora-all [bug 2029851]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2022:7639 https://access.redhat.com/errata/RHSA-2022:7639
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):