Questions about CVE-2021-4048 (lapack 3.6.0-2)

[ThxTory]

Does CVE-2021-4048 has effect on lapack 3.6.0-2?
(Our system is Ubuntu 16.04 and the lapack 3.6.0 was installed using apt.)

If yes, How can I get patched version of 3.6.0-2?

• Wait the official debian package release
• build and replace original libraries
• etc

Related links

• https://nvd.nist.gov/vuln/detail/CVE-2021-4048
• Fix out of bounds read in slarrv #625
• https://launchpad.net/ubuntu/+source/lapack/3.6.0-2ubuntu2

Thanks.

[langou]

"build and replace original libraries" sounds good.
Why don't you take 3.10.1 from this GitHub?
https://github.com/Reference-LAPACK/lapack/releases/tag/v3.10.1
There is cmake and Makefile for the install.