Version in base suite: 0.4.0-3

Base version: hnswlib_0.4.0-3
Target version: hnswlib_0.4.0-3+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/hnswlib/hnswlib_0.4.0-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/h/hnswlib/hnswlib_0.4.0-3+deb11u1.dsc

 changelog                    |    9 +++++++++
 patches/cve-2023-37365.patch |   40 ++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 50 insertions(+)

gpgv: Signature made Wed Nov 11 08:51:15 2020 UTC
gpgv:                using RSA key 3E99A526F5DCC0CBBF1CEEA600BAE74B343369F1
gpgv:                issuer "npatra974@gmail.com"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmp_ve9fcwh/hnswlib_0.4.0-3.dsc
diff -Nru hnswlib-0.4.0/debian/changelog hnswlib-0.4.0/debian/changelog
--- hnswlib-0.4.0/debian/changelog	2020-11-10 22:06:36.000000000 +0000
+++ hnswlib-0.4.0/debian/changelog	2023-07-19 09:07:28.000000000 +0000
@@ -1,3 +1,12 @@
+hnswlib (0.4.0-3+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * cve-2023-37365.patch: new: fix CVE-2023-37365.
+    This is done by capping M to 10000 per discussion with upstream.
+    (Closes: #1041426)
+
+ -- Étienne Mollier <emollier@debian.org>  Wed, 19 Jul 2023 11:07:28 +0200
+
 hnswlib (0.4.0-3) unstable; urgency=medium
 
   * Team Upload.
diff -Nru hnswlib-0.4.0/debian/patches/cve-2023-37365.patch hnswlib-0.4.0/debian/patches/cve-2023-37365.patch
--- hnswlib-0.4.0/debian/patches/cve-2023-37365.patch	1970-01-01 00:00:00.000000000 +0000
+++ hnswlib-0.4.0/debian/patches/cve-2023-37365.patch	2023-07-19 09:07:28.000000000 +0000
@@ -0,0 +1,40 @@
+Description: hnswalg.h: cap M to 10000 (CVE-2023-37365)
+ This patch works around issue nmslib#467, also referenced as CVE-2023-37365,
+ by implementing Yury Malkov's suggestion about capping the M value,
+ coding the maximum number of outgoing connections in the graph, to a
+ reasonable enough value of the order of 10000.  For the record, the
+ documentation indicates reasonable values for M range from 2 to 100,
+ which are well within the cap; see ALGO_PARAMS.md.
+ .
+ The reproducer shown in issue nmslib#467 doesn't trigger the double free
+ condition anymore after this change is applied, but completes
+ successfully, although with the below warning popping up on purpose:
+ .
+  warning: M parameter exceeds 10000 which may lead to adverse effects.
+           Cap to 10000 will be applied for the rest of the processing.
+
+Author: Étienne Mollier <emollier@debian.org>
+Bug: https://github.com/nmslib/hnswlib/issues/467
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426
+Forwarded: https://github.com/nmslib/hnswlib/pull/484
+Reviewed-by: Yury Malkov <yurymalkov@mail.ru>
+Last-Update: 2023-07-19
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- hnswlib.orig/hnswlib/hnswalg.h
++++ hnswlib/hnswlib/hnswalg.h
+@@ -34,7 +34,13 @@
+             data_size_ = s->get_data_size();
+             fstdistfunc_ = s->get_dist_func();
+             dist_func_param_ = s->get_dist_func_param();
+-            M_ = M;
++            if ( M <= 10000 ) {
++                M_ = M;
++            } else {
++                std::cerr << "warning: M parameter exceeds 10000 which may lead to adverse effects." << std::endl;
++                std::cerr << "         Cap to 10000 will be applied for the rest of the processing." << std::endl;
++                M_ = 10000;
++            }
+             maxM_ = M_;
+             maxM0_ = M_ * 2;
+             ef_construction_ = std::max(ef_construction,M_);
diff -Nru hnswlib-0.4.0/debian/patches/series hnswlib-0.4.0/debian/patches/series
--- hnswlib-0.4.0/debian/patches/series	2020-11-10 22:06:16.000000000 +0000
+++ hnswlib-0.4.0/debian/patches/series	2023-07-19 09:04:05.000000000 +0000
@@ -2,3 +2,4 @@
 noTwine.patch
 use-shared-while-linking.patch
 do-not-use-native-flags.patch
+cve-2023-37365.patch