Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 861439 Details for
Bug 1062009
CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Backported patch for this CVE for numpy 1.7
CVE-2014-1858-CVE-2014-1859.patch (text/plain), 5.64 KB, created by
Tomas Tomecek
on 2014-02-10 15:28:57 UTC
(
hide
)
Description:
Backported patch for this CVE for numpy 1.7
Filename:
MIME Type:
Creator:
Tomas Tomecek
Created:
2014-02-10 15:28:57 UTC
Size:
5.64 KB
patch
obsolete
>From 8a2f7e522f11a98a1d1ea087a3f5974d94bb714c Mon Sep 17 00:00:00 2001 >From: Tomas Tomecek <ttomecek@redhat.com> >Date: Mon, 10 Feb 2014 16:11:26 +0100 >Subject: [PATCH] fix CVE-2014-1858/CVE-2014-1859 > >--- > numpy/core/tests/test_memmap.py | 34 ++++++++++++++++------------------ > numpy/core/tests/test_multiarray.py | 9 +++------ > numpy/f2py/__init__.py | 26 +++++++++++++------------- > numpy/f2py/f2py2e.py | 4 ++-- > 4 files changed, 34 insertions(+), 39 deletions(-) > >diff --git a/numpy/core/tests/test_memmap.py b/numpy/core/tests/test_memmap.py >index ea9d061..a1fba95 100644 >--- a/numpy/core/tests/test_memmap.py >+++ b/numpy/core/tests/test_memmap.py >@@ -1,5 +1,5 @@ > import sys >-from tempfile import NamedTemporaryFile, mktemp >+from tempfile import NamedTemporaryFile > import os > > from numpy import memmap >@@ -31,12 +31,11 @@ class TestMemmap(TestCase): > assert_array_equal(self.data, newfp) > > def test_open_with_filename(self): >- tmpname = mktemp('','mmap') >- fp = memmap(tmpname, dtype=self.dtype, mode='w+', >- shape=self.shape) >- fp[:] = self.data[:] >- del fp >- os.unlink(tmpname) >+ with NamedTemporaryFile() as tmp: >+ fp = memmap(tmp.name, dtype=self.dtype, mode='w+', >+ shape=self.shape) >+ fp[:] = self.data[:] >+ del fp > > def test_attributes(self): > offset = 1 >@@ -48,17 +47,16 @@ class TestMemmap(TestCase): > del fp > > def test_filename(self): >- tmpname = mktemp('','mmap') >- fp = memmap(tmpname, dtype=self.dtype, mode='w+', >- shape=self.shape) >- abspath = os.path.abspath(tmpname) >- fp[:] = self.data[:] >- self.assertEqual(abspath, fp.filename) >- b = fp[:1] >- self.assertEqual(abspath, b.filename) >- del b >- del fp >- os.unlink(tmpname) >+ with NamedTemporaryFile() as tmp: >+ fp = memmap(tmp.name, dtype=self.dtype, mode='w+', >+ shape=self.shape) >+ abspath = os.path.abspath(tmp.name) >+ fp[:] = self.data[:] >+ self.assertEqual(abspath, fp.filename) >+ b = fp[:1] >+ self.assertEqual(abspath, b.filename) >+ del b >+ del fp > > def test_filename_fileobj(self): > fp = memmap(self.tmpfp, dtype=self.dtype, mode="w+", >diff --git a/numpy/core/tests/test_multiarray.py b/numpy/core/tests/test_multiarray.py >index db220ec..e845c07 100644 >--- a/numpy/core/tests/test_multiarray.py >+++ b/numpy/core/tests/test_multiarray.py >@@ -1587,12 +1587,11 @@ class TestIO(object): > self.x = rand(shape) + rand(shape).astype(np.complex)*1j > self.x[0,:,1] = [nan, inf, -inf, nan] > self.dtype = self.x.dtype >- self.filename = tempfile.mktemp() >+ self.file = tempfile.NamedTemporaryFile() >+ self.filename = self.file.name > > def tearDown(self): >- if os.path.isfile(self.filename): >- os.unlink(self.filename) >- #tmp_file.close() >+ self.file.close() > > def test_bool_fromstring(self): > v = np.array([True,False,True,False], dtype=np.bool_) >@@ -1620,7 +1619,6 @@ class TestIO(object): > y = np.fromfile(f, dtype=self.dtype) > f.close() > assert_array_equal(y, self.x.flat) >- os.unlink(self.filename) > > def test_roundtrip_filename(self): > self.x.tofile(self.filename) >@@ -1753,7 +1751,6 @@ class TestIO(object): > s = f.read() > f.close() > assert_equal(s, '1.51,2.0,3.51,4.0') >- os.unlink(self.filename) > > def test_tofile_format(self): > x = np.array([1.51, 2, 3.51, 4], dtype=float) >diff --git a/numpy/f2py/__init__.py b/numpy/f2py/__init__.py >index 220cb3d..d580332 100644 >--- a/numpy/f2py/__init__.py >+++ b/numpy/f2py/__init__.py >@@ -27,20 +27,20 @@ def compile(source, > from numpy.distutils.exec_command import exec_command > import tempfile > if source_fn is None: >- fname = os.path.join(tempfile.mktemp()+'.f') >+ f = tempfile.NamedTemporaryFile(suffix='.f') > else: >- fname = source_fn >- >- f = open(fname,'w') >- f.write(source) >- f.close() >- >- args = ' -c -m %s %s %s'%(modulename,fname,extra_args) >- c = '%s -c "import numpy.f2py as f2py2e;f2py2e.main()" %s' %(sys.executable,args) >- s,o = exec_command(c) >- if source_fn is None: >- try: os.remove(fname) >- except OSError: pass >+ f = open(source_fn, 'w') >+ >+ try: >+ f.write(source) >+ f.flush() >+ >+ args = ' -c -m %s %s %s'%(modulename, f.name, extra_args) >+ c = '%s -c "import numpy.f2py as f2py2e;f2py2e.main()" %s' % \ >+ (sys.executable, args) >+ s, o = exec_command(c) >+ finally: >+ f.close() > return s > > from numpy.testing import Tester >diff --git a/numpy/f2py/f2py2e.py b/numpy/f2py/f2py2e.py >index 4e6d258..b9b955a 100755 >--- a/numpy/f2py/f2py2e.py >+++ b/numpy/f2py/f2py2e.py >@@ -91,7 +91,7 @@ Options: > --lower is assumed with -h key, and --no-lower without -h key. > > --build-dir <dirname> All f2py generated files are created in <dirname>. >- Default is tempfile.mktemp(). >+ Default is tempfile.mkstemp(). > > --overwrite-signature Overwrite existing signature file. > >@@ -428,7 +428,7 @@ def run_compile(): > del sys.argv[i] > else: > remove_build_dir = 1 >- build_dir = os.path.join(tempfile.mktemp()) >+ build_dir = tempfile.mkdtemp() > > sysinfo_flags = filter(re.compile(r'[-][-]link[-]').match,sys.argv[1:]) > sys.argv = filter(lambda a,flags=sysinfo_flags:a not in flags,sys.argv) >-- >1.8.5.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=861439">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1062009
: 861439