Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627952 (CVE-2017-12852) - <dev-python/numpy-1.14.5: missing input validation results in infinite loop (CVE-2017-12852)
Summary: <dev-python/numpy-1.14.5: missing input validation results in infinite loop (...
Status: RESOLVED FIXED
Alias: CVE-2017-12852
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2019-12-07
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-15 17:46 UTC by Aleksandr Wagner (Kivak)
Modified: 2020-03-20 04:06 UTC (History)
4 users (show)

See Also:
Package list:
=dev-python/numpy-1.14.5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-15 17:46:25 UTC
CVE-2017-12852 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12852):

The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack. 

References:

https://github.com/numpy/numpy/issues/9560#issuecomment-322395292
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-01 00:30:55 UTC
Upstream is fixed:

https://github.com/numpy/numpy/pull/9599


Gentoo Security Padawan
ChrisADR
Comment 2 Michael Boyle 2018-05-15 00:05:20 UTC
Ping, the fix is these latest versions:
v1.14.0
v1.14.0rc1
v1.14.1
v1.14.2
v1.14.3

Please bump


Michael Boyle
Gentoo Security Padawan
Comment 3 Virgil Dupras (RETIRED) gentoo-dev 2018-09-17 11:57:54 UTC
Latest version in the tree is 1.14.5. According to Michael's comment, we're now in the "stable" phase of the workflow.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-25 01:10:33 UTC
@maintainers, please call for stabilization when ready.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-02 16:59:33 UTC
@arches, please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2018-12-04 11:57:05 UTC
amd64 stable
Comment 7 Thomas Deutschmann gentoo-dev 2018-12-07 02:42:52 UTC
x86 stable
Comment 8 Mart Raudsepp gentoo-dev 2018-12-07 16:49:06 UTC
Not feeling confident in stabling this with all the test failures. So many it's too complicated to really look if it's a regression or not.

FAIL: numpy.core.tests.test_arrayprint.TestComplexArray.test_str
FAIL: numpy.core.tests.test_longdouble.test_repr_roundtrip
FAIL: Check formatting.
FAIL: Check formatting of nan & inf.
FAIL: Check formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check inf/nan formatting of complex types.
FAIL: Check formatting when using print
FAIL: Check formatting when using print
FAIL: numpy.core.tests.test_print.test_locale_longdouble
FAIL: numpy.core.tests.test_scalarprint.TestRealScalars.test_dragon4_interface
FAIL: numpy.core.tests.test_scalarprint.TestRealScalars.test_str
FAIL: numpy.f2py.tests.test_kind.TestKind.test_all
FAILED (KNOWNFAIL=19, SKIP=13, failures=23)
Comment 9 ernsteiswuerfel archtester 2018-12-08 01:03:15 UTC
On ppc64 1.14.5 neither looks like an improvement over 1.10.4 (see bug #672730).

1.14.5: KNOWNFAIL=20, SKIP=25, failures=21
1.10.4: KNOWNFAIL=6, SKIP=5, failures=2
Comment 10 Markus Meier gentoo-dev 2018-12-18 21:06:24 UTC
arm stable
Comment 11 Larry the Git Cow gentoo-dev 2019-01-17 12:32:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3afb0ec42a898f3d4cca0ffa0969f14b3fd8dfdd

commit 3afb0ec42a898f3d4cca0ffa0969f14b3fd8dfdd
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-01-17 12:29:51 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-01-17 12:31:52 +0000

    dev-python/numpy-1.15.4: arm64 stable (bug #627952)
    
    Unlike the stable target of 1.14.5 for others, this version passes
    tests on arm64. As our stable trees usage of numpy is very limited,
    we can risk jumping the gun here, under the assumption that it
    works better for us, due to no test failures.
    
    Bug: https://bugs.gentoo.org/627952
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 dev-python/numpy/numpy-1.15.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 12 Larry the Git Cow gentoo-dev 2019-01-30 13:20:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93a64e8d1a74b41dcbeeff034aff082d9a99f82b

commit 93a64e8d1a74b41dcbeeff034aff082d9a99f82b
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-01-30 13:19:49 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-01-30 13:19:49 +0000

    dev-python/numpy-1.14.5-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/627952
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-python/numpy/numpy-1.14.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 13 ernsteiswuerfel archtester 2019-02-18 01:10:56 UTC
On ppc64 1.15.4 looks best for a stable candidate (see bug #672730).

1.15.4: KNOWNFAIL=9, SKIP=28, failures=2
1.14.5: KNOWNFAIL=20, SKIP=25, failures=21
1.10.4: KNOWNFAIL=6, SKIP=5, failures=2
Comment 14 Agostino Sarubbo gentoo-dev 2019-06-03 15:00:30 UTC
ppc64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2019-06-04 18:59:16 UTC
ia64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2019-06-04 19:01:46 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2019-06-05 11:18:57 UTC
sparc stable
Comment 18 Rolf Eike Beer archtester 2019-07-04 20:55:26 UTC
hppa stable
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-11 21:52:56 UTC
@maintainer(s), please drop vulnerable
Comment 20 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-08-14 21:29:18 UTC
Removal is blocked by dev-python/scientificpython, sci-libs/mmtk and their revdeps...
Comment 21 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-20 00:59:20 UTC
(In reply to Michał Górny from comment #20)
> Removal is blocked by dev-python/scientificpython, sci-libs/mmtk and their
> revdeps...

Neither of those packages are in tree anymore, nor is the problematic package in this bug, as per https://github.com/gentoo/gentoo/pull/12708.

So, the tree is clean.
Comment 22 Yury German Gentoo Infrastructure gentoo-dev 2020-03-20 04:06:39 UTC
Arches and Maintainer(s), Thank you for your work.