Fedora has issued an advisory on February 11: https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128358.html For numpy 1.8.0 (in Mageia 4 and Cauldron) they added a patch in this commit: http://pkgs.fedoraproject.org/cgit/numpy.git/commit/?id=937cb5d47c61701e11d4a2daa9eaa5ba28c93fa1 The RedHat bug has a backport to 1.7 (which may help backport to 1.6 in Mageia 3): https://bugzilla.redhat.com/show_bug.cgi?id=1062009#c14 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Advisory: ======================== Updated python-numpy and python3-numpy packages fix security vulnerabilities: f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py. The original report in the Debian bug tracking system. Fix CVE-2014-1858, CVE-2014-1859. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778 https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128358.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859 Updated packages in core/updates_testing: ======================== python-numpy-1.6.2-2.1.mga3 python-numpy-devel-1.6.2-2.1.mga3 python-numpy-debuginfo-1.6.2-2.1.mga3 From: python-numpy-1.6.2-2.1.mga3.src python-numpy-1.8.0-1.1.mga4 python-numpy-devel-1.8.0-1.1.mga4 python3-numpy-1.8.0-1.1.mga4 python3-numpy-devel-1.8.0-1.1.mga4 python-numpy-debuginfo-1.8.0-1.1.mga4 From: python-numpy-1.8.0-1.1.mga4.src
Assignee: makowski.mageia => qa-bugs
Thanks Philippe! Just some minor adjustments to the advisory. Advisory: ======================== Updated python-numpy packages fix security vulnerabilities: f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py (CVE-2014-1858, CVE-2014-1859). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778 https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128358.html
CC: (none) => makowski.mageiaVersion: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
No PoC. Various example scripts can be found in the tutorial at numpy.org http://wiki.scipy.org/Tentative_NumPy_Tutorial Also one in attachment 798 [details] which requires python-matplotlib aswell
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga3 32 & 64 using the example in attachment 798 [details].
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete on Mageia 4 i586 using the example in comment 3, with both the python2.7 and python3 versions. The python3 version fails with the update candidate, but so does it with the core/release package. The failure is due to a matplotlib compatibility issue, so it is not relevant to this update.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok
Testing complete on Mageia 4 x86_64. -- Validating update, advisory uploaded. Please push to 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisoryCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0089.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED