2225615 – (CVE-2023-29932) CVE-2023-29932 llvm: canonicalize pass crashed with segmentation fault

Bug 2225615 (CVE-2023-29932) - CVE-2023-29932 llvm: canonicalize pass crashed with segmentation fault

Summary: CVE-2023-29932 llvm: canonicalize pass crashed with segmentation fault

Keywords:
Status:	NEW
Alias:	CVE-2023-29932
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2225616 2225617 2225618
Blocks:	2193481
TreeView+	depends on / blocked

Reported:	2023-07-25 15:07 UTC by Marian Rehak
Modified:	2023-10-04 17:53 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the llvm package. A segmentation fault via the mlir::IROperand<mlir::OpOperand component may lead to a crash.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2023-07-25 15:07:23 UTC

llvm-project commit fdbc55a5 was discovered to contain a segmentation fault via the component mlir::IROperand<mlir::OpOperand.

Reference:

https://github.com/llvm/llvm-project/issues/58745

Comment 1 Marian Rehak 2023-07-25 15:07:40 UTC

Created llvm tracking bugs for this issue:

Affects: fedora-all [bug 2225616]

Comment 3 Siddhesh Poyarekar 2023-07-25 15:41:01 UTC

What's the security rationale for this?  If the upstream LLVM security group has agreed on the security impact then this document should be updated to refect that:

https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

because at the moment it states that there are no security-sensitive parts in LLVM.  I couldn't track an upstream discussion about this either.  Likewise for CVE-2023-29933, CVE-2023-29934, CVE-2023-29935, CVE-2023-29941 and CVE-2023-29942.

Note You need to log in before you can comment on or make changes to this bug.