Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500484 - <dev-python/numpy-1.8.0-r1 : f2py insecure temporary file use
Summary: <dev-python/numpy-1.8.0-r1 : f2py insecure temporary file use
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-06 08:45 UTC by Agostino Sarubbo
Modified: 2014-02-24 21:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-06 08:45:15 UTC 
From ${URL} :

Jakub Wilk found that f2py insecurely used a temporary file. A local attacker could use this flaw to 
perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py.

The original report in the Debian bug tracking system 
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778) notes the issue is in numpy/f2py/__init__.py:

     from numpy.distutils.exec_command import exec_command
     import tempfile
     if source_fn is None:
         fname = os.path.join(tempfile.mktemp()+'.f')
     else:
         fname = source_fn

     f = open(fname,'w')


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2014-02-06 09:29:39 UTC 
I will take care
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2014-02-06 09:45:03 UTC 
+*numpy-1.8.0-r1 (06 Feb 2014)
+
+  06 Feb 2014; Justin Lecher <jlec@gentoo.org>
+  +files/numpy-1.8.0-f2py-insecure-temporary.patch, +numpy-1.8.0-r1.ebuild:
+  Backport fix for sec bug, #500484
+
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2014-02-06 09:46:54 UTC 
@arches please go ahead, testsuite included.

I will drop testing arches back to testing.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-06 12:08:31 UTC 
Stable for HPPA.
Comment 5 Akinori Hattori gentoo-dev 2014-02-08 13:16:53 UTC 
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-02-08 19:47:50 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-09 08:19:13 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-02-09 08:23:58 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-02-09 08:27:14 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-02-16 07:35:12 UTC 
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-02-17 21:08:14 UTC 
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-02-22 07:43:18 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Justin Lecher (RETIRED) gentoo-dev 2014-02-22 11:23:21 UTC 
+  22 Feb 2014; Justin Lecher <jlec@gentoo.org> -numpy-1.8.0.ebuild,
+  metadata.xml:
+  Drop vulnerable versions, #500484
+

+  22 Feb 2014; Justin Lecher <jlec@gentoo.org> -numpy-1.6.2-r2.ebuild,
+  -numpy-1.7.1.ebuild:
+  Drop vulnerable versions, #500484
+
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-22 12:28:22 UTC 
GLSA vote: no
Comment 15 Arfrever Frehtes Taifersar Arahesis 2014-02-24 11:27:20 UTC 
(In reply to Justin Lecher from comment #2)
> +*numpy-1.8.0-r1 (06 Feb 2014)
> +
> +  06 Feb 2014; Justin Lecher <jlec@gentoo.org>
> +  +files/numpy-1.8.0-f2py-insecure-temporary.patch, +numpy-1.8.0-r1.ebuild:
> +  Backport fix for sec bug, #500484

This patch introduced 1 error in test suite.
See:
https://github.com/numpy/numpy/pull/4262
https://github.com/numpy/numpy/pull/4271
https://github.com/numpy/numpy/commit/524b9eaa33ec67e34eb31a208e02bb934f778096
Comment 16 Justin Lecher (RETIRED) gentoo-dev 2014-02-24 11:31:01 UTC 
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #15)
> (In reply to Justin Lecher from comment #2)
> > +*numpy-1.8.0-r1 (06 Feb 2014)
> > +
> > +  06 Feb 2014; Justin Lecher <jlec@gentoo.org>
> > +  +files/numpy-1.8.0-f2py-insecure-temporary.patch, +numpy-1.8.0-r1.ebuild:
> > +  Backport fix for sec bug, #500484
> 
> This patch introduced 1 error in test suite.
> See:
> https://github.com/numpy/numpy/pull/4262
> https://github.com/numpy/numpy/pull/4271
> https://github.com/numpy/numpy/commit/
> 524b9eaa33ec67e34eb31a208e02bb934f778096

Thanks for tracking this. But test run fine for me here.
Comment 17 Justin Lecher (RETIRED) gentoo-dev 2014-02-24 12:15:02 UTC 
+  24 Feb 2014; Justin Lecher <jlec@gentoo.org> numpy-1.8.0-r1.ebuild,
+  -files/numpy-1.6.1-atlas.patch, -files/numpy-1.6.2-distutils.patch,
+  -files/numpy-1.6.2-test-pareto.patch, -files/numpy-1.7.0-atlas.patch,
+  -files/numpy-1.7.1-distutils-python33.patch,
+  files/numpy-1.8.0-f2py-insecure-temporary.patch:
+  Backport fix for regression in testsuite, #500484; enable full testsuite;
+  thanks Arfrever helping here; drop old patches
+
Comment 18 Sergey Popov gentoo-dev 2014-02-24 21:43:32 UTC 
GLSA vote: no

Closing as noglsa