Bug 29904

Summary: python-numpy new security issues CVE-2021-33430 and CVE-2021-41496
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-numpy-1.21.5-2.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-01-19 17:43:40 CET 
SUSE has issued an advisory on January 18:
https://lists.suse.com/pipermail/sle-security-updates/2022-January/010024.html

It looks like CVE-2021-33430 was fixed in 1.21.0 and CVE-2021-41496 was fixed in 1.22.0 upstream.

Mageia 8 is also affected.
David Walser 2022-01-19 17:43:55 CET

Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2022-01-20 19:24:36 CET 
fixed in mga8/9

src:
    - python-numpy-1.19.4-1.1.mga8

Version: Cauldron => 8
Status comment: Patches available from upstream => (none)
Assignee: python => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => mageia

Comment 2 David Walser 2022-01-20 19:53:43 CET 
openSUSE has issued an advisory for this today (January 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LQS3J3J4254A7C3LD55D7A432FZ2RFFI/

python3-numpy-devel-1.19.4-1.1.mga8
python3-numpy-f2py-1.19.4-1.1.mga8
python3-numpy-1.19.4-1.1.mga8
python3-numpy-doc-1.19.4-1.1.mga8

from python-numpy-1.19.4-1.1.mga8.src.rpm
Comment 3 Len Lawrence 2022-01-22 19:10:41 CET 
Updated python-numpy on x86_64 hardware and installed the other three packages.  The requires list contains these:
blender
kismet
nanovna-saver
noethys
orange
pitivi
....
task-sugar
theli
veusz
xmds

One could guess that blender might use this package for computing two-dimensional matrices but that requires some prior knowledge.
Installed blender and ran strace on it.  Nothing there after an attempt to create a shape and save it.  Tried pitivi on a short file without understanding the interface and scored a few hits of this kind:
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/numpy/core/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 13
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/numpy/core", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 13
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/numpy/core/__pycache__/multiarray.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 13

theli, veusz and xdms are used in various advanced technical and scientific  fields.  Orange appears to have something to do with data mining.

So, quite difficult to see it in action.
On bug 24356 this simple test worked OK, and now.
$ python tutorial.py
[[ 0  1  2  3  4]
 [ 5  6  7  8  9]
 [10 11 12 13 14]]
(3, 5)
2
int64
8
15
<class 'numpy.ndarray'>
[6 7 8]
<class 'numpy.ndarray'>
[[1.5 2.  3. ]
 [4.  5.  6. ]]
[[1.+0.j 2.+0.j]
 [3.+0.j 4.+0.j]]
[0 1 2 3]
[20 29 38 47]
[0 1 4 9]
[ 9.12945251 -9.88031624  7.4511316  -2.62374854]
[ True  True False False]

Passing this on the basis that pitivi appears to work with it and the demo script gives  the same result as before.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2022-01-22 22:27:23 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-01-24 23:20:27 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-01-25 13:14:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0032.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED