Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 758323 (CVE-2020-28975)

Summary: <sci-libs/scikit-learn-1.1.1: local DoS (CVE-2020-28975)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: andrewammerlaan, gentoo, mgorny, sci
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/scikit-learn/scikit-learn/issues/18891
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 788592, 879985    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 18:45:44 UTC 
CVE-2020-28975:

In Scikit-learn version 0.23.2 calling the predict() method maliciously crafted model SVM can result in a segmentation fault. Such models can be introduced via pickle, json, or any other model permanence standard. The behaviour is triggered when one of the members of the _n_support array has a very large value, example 1000000 when calling libsvm.predict()

Upstream appears not to care:

This is where it's out of scope here: we can't guard against everything. We have a responsibility to provide safe code when that code is used under the limits of what's a normal use-case, but that's pretty much it. Private attributes shouldn't be modified, and it's up to users to make sure that the estimator isn't maliciously altered.

I might go on a limb and use a poor analogy but when I buy a car, I can't complain that it breaks if I replace the steering wheel by a potato.
Comment 1 Aisha Tammy 2020-12-03 18:54:37 UTC 
upstream discussion
https://github.com/scikit-learn/scikit-learn/issues/18891
Comment 2 Larry the Git Cow gentoo-dev 2021-05-29 17:41:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7df0dba820d628b4b7224692a5cb188799097c40

commit 7df0dba820d628b4b7224692a5cb188799097c40
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2021-05-29 17:41:14 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2021-05-29 17:41:48 +0000

    sci-libs/scikit-learn: drop 0.23.2
    
    Closes: https://bugs.gentoo.org/754333
    Bug: https://bugs.gentoo.org/758323
    Bug: https://bugs.gentoo.org/788592
    Package-Manager: Portage-3.0.19, Repoman-3.0.3
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 sci-libs/scikit-learn/Manifest                   |  1 -
 sci-libs/scikit-learn/scikit-learn-0.23.2.ebuild | 66 ------------------------
 2 files changed, 67 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-30 16:18:38 UTC 
Andrew, is this vulnerability fixed by the versions now in tree?
Comment 4 Andrew Ammerlaan gentoo-dev 2021-05-30 16:34:54 UTC 
(In reply to John Helmert III from comment #3)
> Andrew, is this vulnerability fixed by the versions now in tree?

It does according to repology: https://repology.org/project/python:scikit-learn/cves
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-30 16:47:14 UTC 
Repology uses CVE data to handle that, and the CVE data isn't necessarily always trustable. Upstream didn't seem to have any interest in patching it, so let's assume the vulnerability is still present unless there's patches upstream.
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:25:12 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:33:44 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:41:37 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:49:47 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:05:41 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 18:14:00 UTC 
Package list is empty or all packages have requested keywords.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-23 13:14:10 UTC 
A patch was merged upstream: https://github.com/scikit-learn/scikit-learn/commit/1bf13d567d3cd74854aa8343fd25b61dd768bb85
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-16 18:24:03 UTC 
Patch made it into 1.1.0, and fix Gentoo version with the fix is 1.1.1. Needs stabilization
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-07 15:40:09 UTC 
Please cleanup
Comment 15 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-07 15:44:58 UTC 
Cleanup done.
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-07 16:29:32 UTC 
Thanks!
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 16:53:27 UTC 
GLSA request filed
Comment 18 Larry the Git Cow gentoo-dev 2023-01-11 05:23:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=76634ca5c9e2fcfb011091d419529327c0e9c948

commit 76634ca5c9e2fcfb011091d419529327c0e9c948
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:16:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:04 +0000

    [ GLSA 202301-03 ] scikit-learn: Denial of Service
    
    Bug: https://bugs.gentoo.org/758323
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-03.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 19 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-11 05:25:48 UTC 
GLSA released, all done!