Add advisories for numeric bugs in GHC

advisories/ghc/ghc/HSEC-2024-0007.md

@@ -0,0 +1,36 @@
+```toml
+[advisory]
+id = "HSEC-2024-0007"
+cwe = [194]
+keywords = ["integrity", "dos", "historical"]
+
+[[affected]]
+ghc-component = "ghc"
+cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"
+
+[[affected.versions]]
+introduced = "9.2.4"
+fixed = "9.2.5"
+
+[[affected.versions]]
+introduced = "9.4.2"
+fixed = "9.4.3"
+
+[[references]]
+type = "REPORT"
+url = "https://gitlab.haskell.org/ghc/ghc/-/issues/22282"
+
+[[references]]
+type = "FIX"
+url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9152"
+
+[[references]]
+type = "FIX"
+url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9139"
+```
+
+# Sign extension error in the AArch64 NCG
+
+Arithmetic operations may result in incorrect runtime results on the native aarch64 backend.
+For the most part, this bug only causes availability and data integrity issues.
+However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions.

advisories/ghc/ghc/HSEC-2024-0008.md

@@ -0,0 +1,35 @@
+```toml
+[advisory]
+id = "HSEC-2024-0008"
+cwe = [194]
+keywords = ["integrity", "dos"]
+
+[[affected]]
+ghc-component = "ghc"
+cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"
+
+[[affected.versions]]
+introduced = "9.2.1"
+fixed = "9.6.6"
+
+[[affected.versions]]
+introduced = "9.8.1"
+fixed = "9.8.3"
+
+[[affected.versions]]
+introduced = "9.10.1"
+
+[[references]]
+type = "REPORT"
+url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23034"
+
+[[references]]
+type = "FIX"
+url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12885"
+```
+
+# Sign extension error in the PPC64le FFI
+
+Numeric arguments of FFI call on the PPC64le backend may result in incorrect runtime values.
+For the most part, this bug only causes availability and data integrity issues.
+However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions.

advisories/hackage/base/HSEC-2024-0006.md

@@ -0,0 +1,41 @@
+```toml
+[advisory]
+id = "HSEC-2024-0006"
+cwe = [192]
+keywords = ["integrity", "dos", "historical"]
+
+[[affected]]
+package = "base"
+cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H"
+
+[[affected.versions]]
+introduced = "4.15.0.0"
+fixed = "4.15.1.0"
+
+[[references]]
+type = "REPORT"
+url = "https://gitlab.haskell.org/ghc/ghc/-/issues/19345"
+
+[[references]]
+type = "REPORT"
+url = "https://gitlab.haskell.org/ghc/ghc/-/issues/20066"
+
+[[references]]
+type = "FIX"
+url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/4980"
+
+[[references]]
+type = "FIX"
+url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/6109"
+```
+
+# `fromIntegral`: conversion error
+
+`fromIntegral` may result in coercion errors when used with optimization flags `-O1` or `-O2`
+in the following situation:
+
+- Converting negative `Int` to `Natural` does not throw an arithmetic underflow error
+- Converting large `Integer` greater than 2^64 to `Natural` overflow.
+
+For the most part, these errors in and of themselves result only in availability and data integrity issues.
+However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions.