28140 – python-scikit-learn security issue CVE-2020-28975

Bug 28140 - python-scikit-learn security issue CVE-2020-28975

Summary: python-scikit-learn security issue CVE-2020-28975

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:	Sec team

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-01-17 11:57 CET by Zombie Ryushu
Modified:	2021-01-17 17:38 CET (History)
CC List:	0 users

See Also:
Source RPM:	python-scikit-learn-0.23.2-1.mga8.src
CVE:	CVE-2020-28975
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2021-01-17 11:57:50 CET

** DISPUTED ** svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array. NOTE: the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a private attribute.

Zombie Ryushu 2021-01-17 11:58:02 CET

CVE: (none) => CVE-2020-28975

Comment 1 David Walser 2021-01-17 17:38:01 CET

DISPUTED -> INVALID

Resolution: (none) => INVALID
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.