Debian alert DLA-4116-1 (abseil)
| From: | Tobias Frost <tobi@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4116-1] abseil security update | |
| Date: | Sat, 05 Apr 2025 16:32:49 +0200 | |
| Message-ID: | <Z_E_EYEpnzxNih2J@isildor2.loewenhoehle.ip> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4116-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 05, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : abseil Version : 0~20200923.3-2+deb11u1 CVE ID : CVE-2025-0838 Debian Bug : 1098903 A vulnerability has been found in abseil, a collection of open-source C++ libraries that extend the C++ standard library, which might cause an heap buffer overflow. CVE-2025-0838 There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. For Debian 11 bullseye, this problem has been fixed in version 0~20200923.3-2+deb11u1. We recommend that you upgrade your abseil packages. For the detailed security status of abseil please refer to its security tracker page at: https://security-tracker.debian.org/tracker/abseil Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmfxPw4ACgkQkWT6HRe9 XTZspA/9Hoj5n/rYncLtZgHDUH+JqAT9hbGaGQqbytSIjjbj0u3G6SeAeXuznBeL ZAcVg63IZX1n8YdFRhTh7HOyjswmA5t7FAu5H4G3nttjBZSjCSgQoLMh7xaypDRd AeRAoFM9lxsEkpFJTZ3gFbN51Xi3Hbg3KQ9S9jAXLv8EhVhKQZSiIpd+SMRVI+49 /o+VzRuW6kQdxzgp9z5Rlm91YikSsZHGLQ2pdI7aTI4wbBbCb7imghfs2RBvl4xg XYS2RHswK/txnTJi6Z5GHsD/PsmM+eOYB2RUmDQ9Mwm43FRryH7CsrqNrDkqa3NS dvXnBfFnwv5mI5a0zdA7+5RR/0tVOWQD0Jmk7ZzD0Y3bd1vwY8GXMEWNnHHKrVhO AboMfbwa8RSPez+2C5OXKa80F4VfCSUaM4MlhibhB6ibvcx3ihwyphtZWnRQQo88 wxwtkA0cu2u+gHxyCbXzTK0jlTx5YLh226atlSvyDpgzNLEnz5PSLze4zU4OHdby KzdyfAYzqsmfW7Y6VKld78HipvmNlY6MNRipIbqCTmnhUyU9FrT/+vt/2iQJsc+R uvLdTmuXKGjEjBlkbzcqtvFf7po4qvlJdPt059iNnBbSsBEgm9MjvQyR9+mNFC1U LHEGocYj6g+IWqnap3/ysbLquQ+gD22VfEZH/xpcQAEU+C4L48w= =irj3 -----END PGP SIGNATURE-----