CVE-2017-12852 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12852): The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack. References: https://github.com/numpy/numpy/issues/9560#issuecomment-322395292
Upstream is fixed: https://github.com/numpy/numpy/pull/9599 Gentoo Security Padawan ChrisADR
Ping, the fix is these latest versions: v1.14.0 v1.14.0rc1 v1.14.1 v1.14.2 v1.14.3 Please bump Michael Boyle Gentoo Security Padawan
Latest version in the tree is 1.14.5. According to Michael's comment, we're now in the "stable" phase of the workflow.
@maintainers, please call for stabilization when ready.
@arches, please stabilize.
amd64 stable
x86 stable
Not feeling confident in stabling this with all the test failures. So many it's too complicated to really look if it's a regression or not. FAIL: numpy.core.tests.test_arrayprint.TestComplexArray.test_str FAIL: numpy.core.tests.test_longdouble.test_repr_roundtrip FAIL: Check formatting. FAIL: Check formatting of nan & inf. FAIL: Check formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check inf/nan formatting of complex types. FAIL: Check formatting when using print FAIL: Check formatting when using print FAIL: numpy.core.tests.test_print.test_locale_longdouble FAIL: numpy.core.tests.test_scalarprint.TestRealScalars.test_dragon4_interface FAIL: numpy.core.tests.test_scalarprint.TestRealScalars.test_str FAIL: numpy.f2py.tests.test_kind.TestKind.test_all FAILED (KNOWNFAIL=19, SKIP=13, failures=23)
On ppc64 1.14.5 neither looks like an improvement over 1.10.4 (see bug #672730). 1.14.5: KNOWNFAIL=20, SKIP=25, failures=21 1.10.4: KNOWNFAIL=6, SKIP=5, failures=2
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3afb0ec42a898f3d4cca0ffa0969f14b3fd8dfdd commit 3afb0ec42a898f3d4cca0ffa0969f14b3fd8dfdd Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2019-01-17 12:29:51 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2019-01-17 12:31:52 +0000 dev-python/numpy-1.15.4: arm64 stable (bug #627952) Unlike the stable target of 1.14.5 for others, this version passes tests on arm64. As our stable trees usage of numpy is very limited, we can risk jumping the gun here, under the assumption that it works better for us, due to no test failures. Bug: https://bugs.gentoo.org/627952 Package-Manager: Portage-2.3.52, Repoman-2.3.12 Signed-off-by: Mart Raudsepp <leio@gentoo.org> dev-python/numpy/numpy-1.15.4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93a64e8d1a74b41dcbeeff034aff082d9a99f82b commit 93a64e8d1a74b41dcbeeff034aff082d9a99f82b Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2019-01-30 13:19:49 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2019-01-30 13:19:49 +0000 dev-python/numpy-1.14.5-r0: alpha stable Bug: http://bugs.gentoo.org/627952 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> dev-python/numpy/numpy-1.14.5.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
On ppc64 1.15.4 looks best for a stable candidate (see bug #672730). 1.15.4: KNOWNFAIL=9, SKIP=28, failures=2 1.14.5: KNOWNFAIL=20, SKIP=25, failures=21 1.10.4: KNOWNFAIL=6, SKIP=5, failures=2
ppc64 stable
ia64 stable
ppc stable
sparc stable
hppa stable
@maintainer(s), please drop vulnerable
Removal is blocked by dev-python/scientificpython, sci-libs/mmtk and their revdeps...
(In reply to Michał Górny from comment #20) > Removal is blocked by dev-python/scientificpython, sci-libs/mmtk and their > revdeps... Neither of those packages are in tree anymore, nor is the problematic package in this bug, as per https://github.com/gentoo/gentoo/pull/12708. So, the tree is clean.
Arches and Maintainer(s), Thank you for your work.