Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488048 (CVE-2013-4251) - <sci-libs/scipy-0.12.1 : "scipy.weave" Insecure Temporary Directory Creation Security Issue (CVE-2013-4251)
Summary: <sci-libs/scipy-0.12.1 : "scipy.weave" Insecure Temporary Directory Creation ...
Alias: CVE-2013-4251
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
: 487874 (view as bug list)
Depends on: 487896
Blocks: python-3.3-stable
  Show dependency tree
Reported: 2013-10-14 18:55 UTC by Agostino Sarubbo
Modified: 2014-02-28 08:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-14 18:55:14 UTC
From ${URL} :


A security issue has been reported in SciPy, which can be exploited by malicious, local users to 
potentially gain escalated privileges.

The security issue is caused due to the "scipy.weave" component creating temporary directories in 
an insecure manner and can be exploited to e.g. place code that would be executed as the user 
running "scipy.weave".

The security issue is reported in versions prior to 0.12.1.

Update to version 0.12.1.

Provided and/or discovered by:
Florian Weimer, Red Hat Product Security Team

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2013-10-15 06:49:20 UTC
*** Bug 487874 has been marked as a duplicate of this bug. ***
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2013-10-15 06:50:13 UTC
@arches please go ahead.
Comment 3 Pacho Ramos gentoo-dev 2013-10-20 07:22:11 UTC
amd64 stable (by ago)
Comment 4 Agostino Sarubbo gentoo-dev 2013-10-22 08:57:57 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-24 09:23:35 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-11-02 09:58:37 UTC
x86 stable. Maintainer(s), please cleanup
Comment 7 Justin Lecher (RETIRED) gentoo-dev 2013-11-02 11:26:29 UTC
  02 Nov 2013; Justin Lecher <> -scipy-0.9.0-r1.ebuild,
+  -scipy-0.12.0.ebuild:
+  Drop vulnerable versions, #488048

security please proceed.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-28 07:55:43 UTC
GLSA vote: no.
Comment 9 Sergey Popov gentoo-dev 2014-02-28 08:37:45 UTC
Thanks for your work

GLSA vote: no

Closing as noglsa