hsec-2024-0006
Vulnerability from osv_haskell
Published
2025-11-14 14:45
Modified
2025-11-14 14:45
Summary
fromIntegral: conversion error
Details

fromIntegral: conversion error

fromIntegral may result in coercion errors when used with optimization flags -O1 or -O2 in the following situation:

  • Converting negative Int to Natural does not throw an arithmetic underflow error
  • Converting large Integer greater than 2^64 to Natural overflow.

For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2024/HSEC-2024-0006.md",
        "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0006.json"
      },
      "package": {
        "ecosystem": "Hackage",
        "name": "base"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.15.0.0"
            },
            {
              "fixed": "4.15.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "database_specific": {
    "home": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
  },
  "details": "# `fromIntegral`: conversion error\n\n`fromIntegral` may result in coercion errors when used with optimization flags `-O1` or `-O2`\nin the following situation:\n\n- Converting negative `Int` to `Natural` does not throw an arithmetic underflow error\n- Converting large `Integer` greater than 2^64 to `Natural` overflow.\n\nFor the most part, these errors in and of themselves result only in availability and data integrity issues.\nHowever, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions.\n",
  "id": "HSEC-2024-0006",
  "modified": "2025-11-14T14:45:34Z",
  "published": "2025-11-14T14:45:34Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://gitlab.haskell.org/ghc/ghc/-/issues/19345"
    },
    {
      "type": "REPORT",
      "url": "https://gitlab.haskell.org/ghc/ghc/-/issues/20066"
    },
    {
      "type": "FIX",
      "url": "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/4980"
    },
    {
      "type": "FIX",
      "url": "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/6109"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "fromIntegral: conversion error"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.