From ${URL} : Jakub Wilk found that f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py. The original report in the Debian bug tracking system (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778) notes the issue is in numpy/f2py/__init__.py: from numpy.distutils.exec_command import exec_command import tempfile if source_fn is None: fname = os.path.join(tempfile.mktemp()+'.f') else: fname = source_fn f = open(fname,'w') @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I will take care
+*numpy-1.8.0-r1 (06 Feb 2014) + + 06 Feb 2014; Justin Lecher <jlec@gentoo.org> + +files/numpy-1.8.0-f2py-insecure-temporary.patch, +numpy-1.8.0-r1.ebuild: + Backport fix for sec bug, #500484 +
@arches please go ahead, testsuite included. I will drop testing arches back to testing.
Stable for HPPA.
ia64 stable
amd64 stable
ppc stable
ppc64 stable
sparc stable
alpha stable
arm stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
+ 22 Feb 2014; Justin Lecher <jlec@gentoo.org> -numpy-1.8.0.ebuild, + metadata.xml: + Drop vulnerable versions, #500484 + + 22 Feb 2014; Justin Lecher <jlec@gentoo.org> -numpy-1.6.2-r2.ebuild, + -numpy-1.7.1.ebuild: + Drop vulnerable versions, #500484 +
GLSA vote: no
(In reply to Justin Lecher from comment #2) > +*numpy-1.8.0-r1 (06 Feb 2014) > + > + 06 Feb 2014; Justin Lecher <jlec@gentoo.org> > + +files/numpy-1.8.0-f2py-insecure-temporary.patch, +numpy-1.8.0-r1.ebuild: > + Backport fix for sec bug, #500484 This patch introduced 1 error in test suite. See: https://github.com/numpy/numpy/pull/4262 https://github.com/numpy/numpy/pull/4271 https://github.com/numpy/numpy/commit/524b9eaa33ec67e34eb31a208e02bb934f778096
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #15) > (In reply to Justin Lecher from comment #2) > > +*numpy-1.8.0-r1 (06 Feb 2014) > > + > > + 06 Feb 2014; Justin Lecher <jlec@gentoo.org> > > + +files/numpy-1.8.0-f2py-insecure-temporary.patch, +numpy-1.8.0-r1.ebuild: > > + Backport fix for sec bug, #500484 > > This patch introduced 1 error in test suite. > See: > https://github.com/numpy/numpy/pull/4262 > https://github.com/numpy/numpy/pull/4271 > https://github.com/numpy/numpy/commit/ > 524b9eaa33ec67e34eb31a208e02bb934f778096 Thanks for tracking this. But test run fine for me here.
+ 24 Feb 2014; Justin Lecher <jlec@gentoo.org> numpy-1.8.0-r1.ebuild, + -files/numpy-1.6.1-atlas.patch, -files/numpy-1.6.2-distutils.patch, + -files/numpy-1.6.2-test-pareto.patch, -files/numpy-1.7.0-atlas.patch, + -files/numpy-1.7.1-distutils-python33.patch, + files/numpy-1.8.0-f2py-insecure-temporary.patch: + Backport fix for regression in testsuite, #500484; enable full testsuite; + thanks Arfrever helping here; drop old patches +
GLSA vote: no Closing as noglsa