| Summary: | python-numpy new security issues CVE-2014-1858 and CVE-2014-1859 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | makowski.mageia, rverschelde, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/586791/ | ||
| Whiteboard: | MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory | ||
| Source RPM: | python-numpy-1.6.2-2.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-02-18 19:47:55 CET
David Walser
2014-02-18 19:48:03 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Advisory: ======================== Updated python-numpy and python3-numpy packages fix security vulnerabilities: f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py. The original report in the Debian bug tracking system. Fix CVE-2014-1858, CVE-2014-1859. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778 https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128358.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859 Updated packages in core/updates_testing: ======================== python-numpy-1.6.2-2.1.mga3 python-numpy-devel-1.6.2-2.1.mga3 python-numpy-debuginfo-1.6.2-2.1.mga3 From: python-numpy-1.6.2-2.1.mga3.src python-numpy-1.8.0-1.1.mga4 python-numpy-devel-1.8.0-1.1.mga4 python3-numpy-1.8.0-1.1.mga4 python3-numpy-devel-1.8.0-1.1.mga4 python-numpy-debuginfo-1.8.0-1.1.mga4 From: python-numpy-1.8.0-1.1.mga4.src Assignee:
makowski.mageia =>
qa-bugs Thanks Philippe! Just some minor adjustments to the advisory. Advisory: ======================== Updated python-numpy packages fix security vulnerabilities: f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py (CVE-2014-1858, CVE-2014-1859). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778 https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128358.html CC:
(none) =>
makowski.mageia No PoC. Various example scripts can be found in the tutorial at numpy.org http://wiki.scipy.org/Tentative_NumPy_Tutorial Also one in attachment 798 [details] which requires python-matplotlib aswell Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Testing complete mga3 32 & 64 using the example in attachment 798 [details].Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok Testing complete on Mageia 4 i586 using the example in comment 3, with both the python2.7 and python3 versions. The python3 version fails with the update candidate, but so does it with the core/release package. The failure is due to a matplotlib compatibility issue, so it is not relevant to this update. CC:
(none) =>
remi Testing complete on Mageia 4 x86_64. -- Validating update, advisory uploaded. Please push to 3 & 4 core/updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0089.html Status:
NEW =>
RESOLVED |