Fedora has issued an advisory on July 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFGTG4EH37DFBG66DWJ2DEZNIO44D3AX/ The problem is fixed in version 5.3.3.
Source RPM: (none) => python-astropy-5.1.1-1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 5.3.3CVE: (none) => CVE-2023-41334
Cauldron is well ahead on versions, so this (as indicated) is just for M9.
Assignee: bugsquad => python
Suggested advisory: ======================== The updated packages fix a security vulnerability: Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. (CVE-2023-41334) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFGTG4EH37DFBG66DWJ2DEZNIO44D3AX/ ======================== Updated packages in core/updates_testing: ======================== astropy-tools-5.1.1-1.1.mga9 python3-astropy-5.1.1-1.1.mga9 from SRPM: python-astropy-5.1.1-1.1.mga9.src.rpm
Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 5.3.3 => (none)Assignee: python => qa-bugs
MGA9-64 server Plasma Wayland on HP-Pavillion. No installation issues. Never doen before AFAICS, so # urpmq --whatrequires astropy-tools astropy-tools task-astronomy # urpmq --whatrequires python3-astropy astropy-tools astropy-tools python3-aplpy python3-astropy python3-healpy python3-voevent-parse task-astronomy theli veusz Didn't feel like installing a complete set, so after looking on the info in MCC, decided on installing veusz. Then launched it $ strace -o astro.txt veusz VO table import: astropy module not available SAMP: sampy module not available Played around with some interface elements, saved the file, and the trace shows calls to newfstatat(AT_FDCWD, "/usr/lib64/python3.10/site-packages/astropy/__init__.cpython-310-x86_64-linux-gnu.so", 0x7fff13669a20, 0) = -1 ENOENT (No such file or directory) That does it for me.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Adding this test for future reference. mga9, x64 Installed release versions. $ urpmq -i astropy-tools [...] Summary : Astropy utility tools Description : Utilities provided by Astropy: 'volint' for validating a Virtual Observatory files, 'wcslint' for validating the WCS keywords in a FITS file. Searched for FITS files.... $ wget https://fits.gsfc.nasa.gov/samples/UITfuv2582gc.fits $ wcslint UITfuv2582gc.fits HDU 0 (PRIMARY): WCS key ' ': - RADECSYS= 'FK5 ' / WORLD COORDINATE FRAME the RADECSYS keyword is deprecated, use RADESYSa. - 'datfix' made the change 'Set MJD-OBS to 49789.000000 from DATE- OBS. Changed DATE-OBS from '13/03/95' to '1995-03-13''. Updated via qarepo and ran wcslint against the same file and the result repeated exactly.
CC: (none) => tarazed25
Keywords: (none) => advisory
CC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0313.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED