Bug 1062009 (CVE-2014-1858, CVE-2014-1859)
Summary: | CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED WONTFIX | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | bhu, bleanhar, ccoleman, dmcphers, esammons, gwync, iboverma, jdetiber, jialiu, jkurik, jross, jrusnack, jspaleta, lmeyer, matt, mcressma, mmcgrath, mrg-program-list, orion, pfrields, rdieter, sochotni, tdawson, tomspur, ttomecek, williams | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-01-07 21:44:50 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1062359, 1062625, 1062627, 1062628, 1064951, 1064952 | ||||||
Bug Blocks: | 1062012 | ||||||
Attachments: |
|
Description
Murray McAllister
2014-02-06 03:53:28 UTC
CVE request: http://www.openwall.com/lists/oss-security/2014/02/06/3 No patch yet so I have not bothered to file any Fedora trackers etc yet (In reply to Murray McAllister from comment #1) > No patch yet so I have not bothered to file any Fedora trackers etc yet There is a patch, which has already been merged upstream: https://github.com/numpy/numpy/pull/4262 Created numpy tracking bugs for this issue: Affects: fedora-all [bug 1062359] (In reply to Thomas Spura from comment #4) > (In reply to Murray McAllister from comment #1) > > No patch yet so I have not bothered to file any Fedora trackers etc yet > > There is a patch, which has already been merged upstream: > https://github.com/numpy/numpy/pull/4262 Thanks Thomas! (In reply to Thomas Spura from comment #4) > There is a patch, which has already been merged upstream: > https://github.com/numpy/numpy/pull/4262 Direct link to the commit in the upstream repository: https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 Referring to https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 CVE-2014-1858 was assigned to the issue in the __init__.py file. CVE-2014-1859 was assigned to all other temporary file issues in the above commit. Reference: http://seclists.org/oss-sec/2014/q1/287 (In reply to Murray McAllister from comment #12) > Referring to > https://github.com/numpy/numpy/commit/ > 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 > > CVE-2014-1858 was assigned to the issue in the __init__.py file. > CVE-2014-1859 was assigned to all other temporary file issues in the above > commit. > > Reference: http://seclists.org/oss-sec/2014/q1/287 Both fixed in rawhide: http://koji.fedoraproject.org/koji/buildinfo?buildID=497182 First CVE can be fixed easily in f20 too. The second CVE is a bit more difficult to backport. Don't know, when I'll have time for that... Created attachment 861439 [details]
Backported patch for this CVE for numpy 1.7
Created numpy tracking bugs for this issue: Affects: epel-5 [bug 1064951] Created python26-numpy tracking bugs for this issue: Affects: epel-5 [bug 1064952] numpy-1.8.0-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. numpy-1.7.2-8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. ping, what's the latest here? Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |