USN-6258-1: LLVM Toolchain vulnerabilities

Releases

• Ubuntu 23.04
• Ubuntu 22.04 LTS

Packages

• llvm-toolchain-13 - C, C++ and Objective-C compiler
• llvm-toolchain-14 - C, C++ and Objective-C compiler
• llvm-toolchain-15 - C, C++ and Objective-C compiler

Details

It was discovered that LLVM Toolchain did not properly manage memory under
certain circumstances. If a user were tricked into opening a specially
crafted MLIR file, an attacker could possibly use this issue to cause LLVM
Toolchain to crash, resulting in a denial of service. (CVE-2023-29932,
CVE-2023-29934, CVE-2023-29939)

It was discovered that LLVM Toolchain did not properly manage memory under
certain circumstances. If a user were tricked into opening a specially
crafted MLIR file, an attacker could possibly use this issue to cause LLVM
Toolchain to crash, resulting in a denial of service. This issue only
affected llvm-toolchain-15. (CVE-2023-29933)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.04

• mlir-15-tools - 1:15.0.7-3ubuntu0.23.04.1
• llvm-14-tools - 1:14.0.6-12ubuntu0.23.04.1
• mlir-13-tools - 1:13.0.1-11ubuntu14.1
• llvm-14 - 1:14.0.6-12ubuntu0.23.04.1
• llvm-15 - 1:15.0.7-3ubuntu0.23.04.1
• llvm-13 - 1:13.0.1-11ubuntu14.1
• mlir-14-tools - 1:14.0.6-12ubuntu0.23.04.1
• llvm-15-tools - 1:15.0.7-3ubuntu0.23.04.1
• llvm-13-tools - 1:13.0.1-11ubuntu14.1

Ubuntu 22.04

• mlir-15-tools - 1:15.0.7-0ubuntu0.22.04.3
• llvm-14-tools - 1:14.0.0-1ubuntu1.1
• mlir-13-tools - 1:13.0.1-2ubuntu2.2
• llvm-14 - 1:14.0.0-1ubuntu1.1
• llvm-15 - 1:15.0.7-0ubuntu0.22.04.3
• llvm-13 - 1:13.0.1-2ubuntu2.2
• mlir-14-tools - 1:14.0.0-1ubuntu1.1
• llvm-15-tools - 1:15.0.7-0ubuntu0.22.04.3
• llvm-13-tools - 1:13.0.1-2ubuntu2.2

In general, a standard system update will make all the necessary changes.

References

• CVE-2023-29939
• CVE-2023-29934
• CVE-2023-29932
• CVE-2023-29933