30956 – python-joblib new security issue CVE-2022-21797

Bug 30956 - python-joblib new security issue CVE-2022-21797

Summary: python-joblib new security issue CVE-2022-21797

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-10-11 23:31 CEST by David Walser
Modified:	2022-10-19 01:16 CEST (History)
CC List:	7 users (show)

See Also:
Source RPM:	python-joblib-1.0.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-11 23:31:11 CEST

Fedora has issued an advisory on October 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BVOMMW37OXZWU2EV5ONAAS462IQEHZOF/

The issue is fixed upstream in 1.2.0.

David Walser 2022-10-11 23:31:28 CEST

CC: (none) => mageia, mhrambo3501
Status comment: (none) => Fixed upstream in 1.2.0

Comment 1 papoteur 2022-10-12 11:48:59 CEST

The 1.2.0 release is built:
python3-joblib-1.2.0-1.mga8.noarch.rpm

Source:
python-joblib-1.2.0-1.mga8

Assignee: python => qa-bugs
CC: (none) => yves.brungard_mageia
Status comment: Fixed upstream in 1.2.0 => (none)

Comment 2 papoteur 2022-10-12 11:52:17 CEST

This package is used by "orange" application.

Comment 3 Herman Viaene 2022-10-15 12:09:11 CEST

MGA8-64 MATE on Acer Aspire 5253.
No installation issues.
Tried to follow papoteur's recommendation above and installed orange.
Launching it from CLI with trace:
$ strace -o pyjoblib.txt orange-canvas 
Traceback (most recent call last):
  File "/usr/bin/orange-canvas", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3243, in <module>
    def _initialize_master_working_set():
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3226, in _call_aside
    f(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3255, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 568, in _build_master
    ws.require(__requires__)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 886, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 772, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'orange-widget-base>=4.5.0' distribution was not found and is required by Orange3

As the comments on python3-joblib state
"Joblib is a set of tools to provide lightweight pipelining in Python. In particular, joblib offers:
* transparent disk-caching of the output values and lazy re-evaluation (memorize pattern)
* easy simple parallel computing
* logging and tracing of the execution."

This is developer's territory, so I'll OK it on clean install

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Herman Viaene 2022-10-15 12:12:41 CEST

And the trace shows references to py - joblib, so the crash for other reasons does not matter.

Comment 5 Thomas Andrews 2022-10-15 16:01:09 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-18 23:24:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-10-19 01:16:28 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0375.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.