Bug 33369 - python-astropy new security issue CVE-2023-41334
Summary: python-astropy new security issue CVE-2023-41334
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-07-05 14:42 CEST by Nicolas Salguero
Modified: 2024-09-25 20:09 CEST (History)
4 users (show)

See Also:
Source RPM: python-astropy-5.1.1-1.mga9.src.rpm
CVE: CVE-2023-41334
Status comment:


Attachments

Description Nicolas Salguero 2024-07-05 14:42:26 CEST
Fedora has issued an advisory on July 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFGTG4EH37DFBG66DWJ2DEZNIO44D3AX/

The problem is fixed in version 5.3.3.
Nicolas Salguero 2024-07-05 14:42:40 CEST

Source RPM: (none) => python-astropy-5.1.1-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 5.3.3
CVE: (none) => CVE-2023-41334

Comment 1 Lewis Smith 2024-07-05 20:45:48 CEST
Cauldron is well ahead on versions, so this (as indicated) is just for M9.

Assignee: bugsquad => python

Comment 2 Nicolas Salguero 2024-09-18 16:17:00 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. (CVE-2023-41334)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFGTG4EH37DFBG66DWJ2DEZNIO44D3AX/
========================

Updated packages in core/updates_testing:
========================
astropy-tools-5.1.1-1.1.mga9
python3-astropy-5.1.1-1.1.mga9

from SRPM:
python-astropy-5.1.1-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 5.3.3 => (none)
Assignee: python => qa-bugs

Comment 3 Herman Viaene 2024-09-22 12:12:24 CEST
MGA9-64 server Plasma Wayland on HP-Pavillion.
No installation issues.
Never doen before AFAICS, so
# urpmq --whatrequires astropy-tools
astropy-tools
task-astronomy
# urpmq --whatrequires python3-astropy
astropy-tools
astropy-tools
python3-aplpy
python3-astropy
python3-healpy
python3-voevent-parse
task-astronomy
theli
veusz
Didn't feel like installing a complete set, so after looking on the info in MCC, decided on installing veusz.
Then launched it
$ strace -o astro.txt veusz 
VO table import: astropy module not available
SAMP: sampy module not available
Played around with some interface elements, saved the file, and the trace shows calls to 
newfstatat(AT_FDCWD, "/usr/lib64/python3.10/site-packages/astropy/__init__.cpython-310-x86_64-linux-gnu.so", 0x7fff13669a20, 0) = -1 ENOENT (No such file or directory)

That does it for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2024-09-22 16:47:06 CEST
Adding this test for future reference.
mga9, x64
Installed release versions.

$ urpmq -i astropy-tools
[...]
Summary     : Astropy utility tools
Description :
Utilities provided by Astropy: 'volint' for validating a Virtual Observatory
files, 'wcslint' for validating the WCS keywords in a FITS file.

Searched for FITS files....

$ wget https://fits.gsfc.nasa.gov/samples/UITfuv2582gc.fits
$ wcslint UITfuv2582gc.fits
HDU 0 (PRIMARY):
  WCS key ' ':
    - RADECSYS= 'FK5 ' / WORLD COORDINATE FRAME
      the RADECSYS keyword is deprecated, use RADESYSa.
    - 'datfix' made the change 'Set MJD-OBS to 49789.000000 from DATE-
      OBS.
      Changed DATE-OBS from '13/03/95' to '1995-03-13''.

Updated via qarepo and ran wcslint against the same file and the result repeated exactly.

CC: (none) => tarazed25

katnatek 2024-09-22 19:58:58 CEST

Keywords: (none) => advisory

katnatek 2024-09-24 21:16:45 CEST

CC: (none) => andrewsfarm

Comment 5 Thomas Andrews 2024-09-25 01:57:19 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2024-09-25 20:09:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0313.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.