Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 758323 (CVE-2020-28975) - sci-libs/scikit-learn: local DoS (CVE-2020-28975)
Summary: sci-libs/scikit-learn: local DoS (CVE-2020-28975)
Status: CONFIRMED
Alias: CVE-2020-28975
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/scikit-learn/sciki...
Whiteboard: B3 [upstream]
Keywords:
Depends on: 788592
Blocks:
  Show dependency tree
 
Reported: 2020-12-03 18:45 UTC by John Helmert III
Modified: 2021-07-29 18:14 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-12-03 18:45:44 UTC
CVE-2020-28975:

In Scikit-learn version 0.23.2 calling the predict() method maliciously crafted model SVM can result in a segmentation fault. Such models can be introduced via pickle, json, or any other model permanence standard. The behaviour is triggered when one of the members of the _n_support array has a very large value, example 1000000 when calling libsvm.predict()

Upstream appears not to care:

This is where it's out of scope here: we can't guard against everything. We have a responsibility to provide safe code when that code is used under the limits of what's a normal use-case, but that's pretty much it. Private attributes shouldn't be modified, and it's up to users to make sure that the estimator isn't maliciously altered.

I might go on a limb and use a poor analogy but when I buy a car, I can't complain that it breaks if I replace the steering wheel by a potato.
Comment 1 Aisha Tammy 2020-12-03 18:54:37 UTC
upstream discussion
https://github.com/scikit-learn/scikit-learn/issues/18891
Comment 2 Larry the Git Cow gentoo-dev 2021-05-29 17:41:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7df0dba820d628b4b7224692a5cb188799097c40

commit 7df0dba820d628b4b7224692a5cb188799097c40
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2021-05-29 17:41:14 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2021-05-29 17:41:48 +0000

    sci-libs/scikit-learn: drop 0.23.2
    
    Closes: https://bugs.gentoo.org/754333
    Bug: https://bugs.gentoo.org/758323
    Bug: https://bugs.gentoo.org/788592
    Package-Manager: Portage-3.0.19, Repoman-3.0.3
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 sci-libs/scikit-learn/Manifest                   |  1 -
 sci-libs/scikit-learn/scikit-learn-0.23.2.ebuild | 66 ------------------------
 2 files changed, 67 deletions(-)
Comment 3 John Helmert III gentoo-dev Security 2021-05-30 16:18:38 UTC
Andrew, is this vulnerability fixed by the versions now in tree?
Comment 4 Andrew Ammerlaan gentoo-dev 2021-05-30 16:34:54 UTC
(In reply to John Helmert III from comment #3)
> Andrew, is this vulnerability fixed by the versions now in tree?

It does according to repology: https://repology.org/project/python:scikit-learn/cves
Comment 5 John Helmert III gentoo-dev Security 2021-05-30 16:47:14 UTC
Repology uses CVE data to handle that, and the CVE data isn't necessarily always trustable. Upstream didn't seem to have any interest in patching it, so let's assume the vulnerability is still present unless there's patches upstream.
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:25:12 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:33:44 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:41:37 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:49:47 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:05:41 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 18:14:00 UTC
Package list is empty or all packages have requested keywords.