Bug 30956

Summary: python-joblib new security issue CVE-2022-21797
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, mhrambo3501, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-joblib-1.0.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-10-11 23:31:11 CEST 
Fedora has issued an advisory on October 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/

The issue is fixed upstream in 1.2.0.
David Walser 2022-10-11 23:31:28 CEST

CC: (none) => mageia, mhrambo3501
Status comment: (none) => Fixed upstream in 1.2.0

Comment 1 papoteur 2022-10-12 11:48:59 CEST 
The 1.2.0 release is built:
python3-joblib-1.2.0-1.mga8.noarch.rpm

Source:
python-joblib-1.2.0-1.mga8

Assignee: python => qa-bugs
CC: (none) => yves.brungard_mageia
Status comment: Fixed upstream in 1.2.0 => (none)

Comment 2 papoteur 2022-10-12 11:52:17 CEST 
This package is used by "orange" application.
Comment 3 Herman Viaene 2022-10-15 12:09:11 CEST 
MGA8-64 MATE on Acer Aspire 5253.
No installation issues.
Tried to follow papoteur's recommendation above and installed orange.
Launching it from CLI with trace:
$ strace -o pyjoblib.txt orange-canvas 
Traceback (most recent call last):
  File "/usr/bin/orange-canvas", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3243, in <module>
    def _initialize_master_working_set():
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3226, in _call_aside
    f(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3255, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 568, in _build_master
    ws.require(__requires__)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 886, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 772, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'orange-widget-base>=4.5.0' distribution was not found and is required by Orange3

As the comments on python3-joblib state
"Joblib is a set of tools to provide lightweight pipelining in Python. In particular, joblib offers:
* transparent disk-caching of the output values and lazy re-evaluation (memorize pattern)
* easy simple parallel computing
* logging and tracing of the execution."

This is developer's territory, so I'll OK it on clean install

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Herman Viaene 2022-10-15 12:12:41 CEST 
And the trace shows references to py - joblib, so the crash for other reasons does not matter.
Comment 5 Thomas Andrews 2022-10-15 16:01:09 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-18 23:24:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-10-19 01:16:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0375.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED