Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 873151 (CVE-2022-21797)

Summary: <dev-python/joblib-1.2.0: Arbitrary Code Execution via the pre_dispatch flag in Parallel() class (CVE-2022-21797)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/joblib/joblib/issues/1128
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---

Description filip ambroz 2022-09-27 07:10:24 UTC 
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

Links:
https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033

Fix:
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059

Fixed version 1.2.0 is available.
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-13 05:47:19 UTC 
dev-python/joblib-1.3.2 is currently the only version available.
Comment 2 Larry the Git Cow gentoo-dev 2024-01-02 14:39:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=086ee91647926ad5550f1443e004b5f5d1bda7fc

commit 086ee91647926ad5550f1443e004b5f5d1bda7fc
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-02 14:38:14 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-02 14:38:51 +0000

    [ GLSA 202401-01 ] Joblib: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/873151
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-01.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)