Bug 29904 - python-numpy new security issues CVE-2021-33430 and CVE-2021-41496
Summary: python-numpy new security issues CVE-2021-33430 and CVE-2021-41496
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-19 17:43 CET by David Walser
Modified: 2022-01-25 13:14 CET (History)
5 users (show)

See Also:
Source RPM: python-numpy-1.21.5-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-01-19 17:43:40 CET 
SUSE has issued an advisory on January 18:
https://lists.suse.com/pipermail/sle-security-updates/2022-January/010024.html

It looks like CVE-2021-33430 was fixed in 1.21.0 and CVE-2021-41496 was fixed in 1.22.0 upstream.

Mageia 8 is also affected.
David Walser 2022-01-19 17:43:55 CET

Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2022-01-20 19:24:36 CET 
fixed in mga8/9

src:
    - python-numpy-1.19.4-1.1.mga8

Version: Cauldron => 8
Status comment: Patches available from upstream => (none)
Assignee: python => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => mageia

Comment 2 David Walser 2022-01-20 19:53:43 CET 
openSUSE has issued an advisory for this today (January 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LQS3J3J4254A7C3LD55D7A432FZ2RFFI/

python3-numpy-devel-1.19.4-1.1.mga8
python3-numpy-f2py-1.19.4-1.1.mga8
python3-numpy-1.19.4-1.1.mga8
python3-numpy-doc-1.19.4-1.1.mga8

from python-numpy-1.19.4-1.1.mga8.src.rpm
Comment 3 Len Lawrence 2022-01-22 19:10:41 CET 
Updated python-numpy on x86_64 hardware and installed the other three packages.  The requires list contains these:
blender
kismet
nanovna-saver
noethys
orange
pitivi
....
task-sugar
theli
veusz
xmds

One could guess that blender might use this package for computing two-dimensional matrices but that requires some prior knowledge.
Installed blender and ran strace on it.  Nothing there after an attempt to create a shape and save it.  Tried pitivi on a short file without understanding the interface and scored a few hits of this kind:
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/numpy/core/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 13
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/numpy/core", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 13
openat(AT_FDCWD, "/usr/lib64/python3.8/site-packages/numpy/core/__pycache__/multiarray.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 13

theli, veusz and xdms are used in various advanced technical and scientific  fields.  Orange appears to have something to do with data mining.

So, quite difficult to see it in action.
On bug 24356 this simple test worked OK, and now.
$ python tutorial.py
[[ 0  1  2  3  4]
 [ 5  6  7  8  9]
 [10 11 12 13 14]]
(3, 5)
2
int64
8
15
<class 'numpy.ndarray'>
[6 7 8]
<class 'numpy.ndarray'>
[[1.5 2.  3. ]
 [4.  5.  6. ]]
[[1.+0.j 2.+0.j]
 [3.+0.j 4.+0.j]]
[0 1 2 3]
[20 29 38 47]
[0 1 4 9]
[ 9.12945251 -9.88031624  7.4511316  -2.62374854]
[ True  True False False]

Passing this on the basis that pitivi appears to work with it and the demo script gives  the same result as before.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2022-01-22 22:27:23 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-01-24 23:20:27 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-01-25 13:14:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0032.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.