Bug 32116

Summary: python-scipy new security issue CVE-2023-25399
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, makowski.mageia, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: python-scipy-1.9.1-2.mga9.src.rpm CVE: CVE-2023-25399
Status comment:

Description David Walser 2023-07-17 22:14:45 CEST 
Ubuntu has issued an advisory on July 13:
https://ubuntu.com/security/notices/USN-6226-1

Mageia 8 is also affected.
David Walser 2023-07-17 22:14:54 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-19 20:52:56 CEST 
This pkg is nominally with PhilippeM, but I am unsure whether he is still with us. So assigning the bug globally, CC'ing him in hope.

Assignee: bugsquad => pkg-bugs
CC: (none) => makowski.mageia

Comment 2 Nicolas Salguero 2024-03-19 12:13:33 CET 
Mageia 8 EOL.

CVE: (none) => CVE-2023-25399
Version: Cauldron => 9
Summary: python-scipy new security issues CVE-2023-25399 and CVE-2023-29824 => python-scipy new security issue CVE-2023-25399
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero

Comment 3 Nicolas Salguero 2024-03-19 13:40:10 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function. (CVE-2023-25399)

References:
https://ubuntu.com/security/notices/USN-6226-1
========================

Updated package in core/updates_testing:
========================
python3-scipy-1.9.1-2.1.mga9

from SRPM:
python-scipy-1.9.1-2.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

katnatek 2024-03-19 20:00:56 CET

Keywords: (none) => advisory

Comment 4 katnatek 2024-03-20 19:15:43 CET 
RH mageia 9 x86_64

Test in combination with packages of bug#31000

Install current version

LC_ALL=C urpmi python3-scipy
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  lib64python3-devel             3.10.11      1.1.mga9      x86_64  
  lib64python3.10-testsuite      3.10.11      1.1.mga9      x86_64  (recommended)
  python3-docs                   3.10.11      1.1.mga9      noarch  (recommended)
(medium "Core Release (distrib1)")
  python3-numpy-f2py             1.24.3       1.mga9        x86_64  
  python3-scipy                  1.9.1        2.mga9        x86_64  
185MB of additional disk space will be used.
35MB of packages will be retrieved.
Proceed with the installation of the 5 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-numpy-f2py-1.24.3-1.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-scipy-1.9.1-2.mga9.x86_64.rpm
installing //home/katnatek/qa-testing/x86_64/lib64python3-devel-3.10.11-1.1.mga9.x86_64.rpm                             
//home/katnatek/qa-testing/x86_64/python3-docs-3.10.11-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/python3-numpy-f2py-1.24.3-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/lib64python3.10-testsuite-3.10.11-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/python3-scipy-1.9.1-2.mga9.x86_64.rpm
Preparing...                     ######################################################################################
      1/5: lib64python3.10-testsuite
                                 ######################################################################################
      2/5: python3-docs          ######################################################################################
      3/5: lib64python3-devel    ######################################################################################
      4/5: python3-numpy-f2py    ######################################################################################
      5/5: python3-scipy         ######################################################################################

Update to testing version

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing python3-scipy-1.9.1-2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ######################################################################################
      1/1: python3-scipy         ######################################################################################
      1/1: removing python3-scipy-1.9.1-2.mga9.x86_64
                                 ######################################################################################

Remove packages

LC_ALL=C urpme python3-scipy
removing python3-scipy-1.9.1-2.1.mga9.x86_64
removing package python3-scipy-1.9.1-2.1.mga9.x86_64
      1/1: removing python3-scipy-1.9.1-2.1.mga9.x86_64
                                 ######################################################################################
writing /var/lib/rpm/installed-through-deps.list

The following packages:
  lib64python3-devel-3.10.11-1.1.mga9.x86_64
  lib64python3.10-testsuite-3.10.11-1.1.mga9.x86_64
  python3-docs-3.10.11-1.1.mga9.noarch
  python3-numpy-f2py-1.24.3-1.mga9.x86_64
are now orphaned, if you wish to remove them, you can use "urpme --auto-orphans"

LC_ALL=C urpme --auto --auto-orphans
removing lib64python3-devel-3.10.11-1.1.mga9.x86_64 lib64python3.10-testsuite-3.10.11-1.1.mga9.x86_64 python3-docs-3.10.11-1.1.mga9.noarch python3-numpy-f2py-1.24.3-1.mga9.x86_64
removing package python3-numpy-f2py-1:1.24.3-1.mga9.x86_64
      1/4: removing python3-numpy-f2py-1:1.24.3-1.mga9.x86_64
                                 ######################################################################################
removing package lib64python3-devel-3.10.11-1.1.mga9.x86_64
      2/4: removing lib64python3-devel-3.10.11-1.1.mga9.x86_64
                                 ######################################################################################
removing package python3-docs-3.10.11-1.1.mga9.noarch
      3/4: removing python3-docs-3.10.11-1.1.mga9.noarch
                                 ######################################################################################
removing package lib64python3.10-testsuite-3.10.11-1.1.mga9.x86_64
      4/4: removing lib64python3.10-testsuite-3.10.11-1.1.mga9.x86_64
                                 ######################################################################################
katnatek 2024-03-20 19:16:06 CET

CC: (none) => andrewsfarm

Comment 5 katnatek 2024-03-20 19:17:05 CET 
Not previous round of the package, Give OK

Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2024-03-20 23:49:06 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2024-03-21 05:57:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0078.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED