CVE-2024-7883:
When using Arm Cortex-M Security Extensions (CMSE), Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use of floating-point since entering Secure state. This allows an attacker to read a limited quantity of Secure stack contents with an impact on confidentiality. This issue is specific to code generated using LLVM-based compilers.
CVE-2024-31852:
LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production."
The package has not entered testing even though the delay is over
normal
The package has not entered testing even though the 20-day delay is over.Check why.
piuparts found (un)installation error(s)
normal
Piuparts stresses package installation, uninstallation, upgrade, ... While doing such tests, one or more errors were found for the following suites:
This package has been requested to
be removed. This means that, when this request gets
processed by an ftp-master, this package will no longer be in
unstable, and will automatically be removed from testing too
afterwards. If for some reason you want keep this package in
unstable, please discuss so in the bug. Please see bug number #1050069 for more information.
debian/patches: 101 patches to forward upstream
low
Among the 102 debian patches
available in version 1:14.0.6-20 of the package,
we noticed the following issues:
101 patches
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
CVE-2024-7883:
When using Arm Cortex-M Security Extensions (CMSE), Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use of floating-point since entering Secure state. This allows an attacker to read a limited quantity of Secure stack contents with an impact on confidentiality. This issue is specific to code generated using LLVM-based compilers.
Standards version of the package is outdated.
wishlist
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.7.2 instead of
4.6.2).
testing migrations
This package will soon be part of the auto-libxml2 transition. You might want to ensure that your package is ready for it.
You can probably find supplementary information in the
debian-release
archives or in the corresponding
release.debian.org
bug.
This package will soon be part of the auto-protobuf transition. You might want to ensure that your package is ready for it.
You can probably find supplementary information in the
debian-release
archives or in the corresponding
release.debian.org
bug.
This package will soon be part of the auto-grpc transition. You might want to ensure that your package is ready for it.
You can probably find supplementary information in the
debian-release
archives or in the corresponding
release.debian.org
bug.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/l/llvm-toolchain-14.png){kind=link}