Bug 2035032 (CVE-2021-34141)

Summary: CVE-2021-34141 numpy: incomplete string comparison in the numpy.core component
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cstratak, dbecker, dnakabaa, eglynn, gwync, hhorak, hkataria, jjoyce, jorton, jschluet, jspaleta, j, jwong, kaycoth, kholdawa, kshier, lcouzens, lhh, lpeer, lsvaty, manisandro, mburns, mgarciac, mskarbek, nforro, nobody, orion, osoukup, pgrist, python-maint, rdieter, sclewis, slinaber, TicoTimo, tomspur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2035033, 2035072, 2035073, 2035074, 2035075, 2035076, 2035077, 2035078    
Bug Blocks: 2035045    

Description Guilherme de Almeida Suckevicz 2021-12-22 18:53:25 UTC 
Incomplete string comparison in the numpy.core component in NumPy1.9.x, which allows attackers to fail the APIs via constructing specific string objects.

Reference:
https://github.com/numpy/numpy/issues/18993
Comment 1 Guilherme de Almeida Suckevicz 2021-12-22 18:53:41 UTC 
Created python2-numpy tracking bugs for this issue:

Affects: epel-7 [bug 2035033]
Comment 4 Garrett Tucker 2021-12-23 17:56:46 UTC 
The flaw presented here is the result of an incomplete string comparison when checking numeric style typecode as the terminator was not considered. While the string comparison flaw can result in API failure in numpy and impact availability, the flaw is unable to result in code execution or compromise confidentiality or integrity of the system. As such the NVD CVSS should be revised to 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Comment 5 Petr Viktorin (pviktori) 2022-01-03 09:20:35 UTC 
The check is used to determine if a deprecation warning should be emitted or not. How is this a security issue?

What does "fail the APIs" even mean?
Comment 6 Jason Tibbitts 2022-01-03 20:56:43 UTC 
I'm concerned that the only tracking bug created in the "Affects" section is for a package that exists only to depend on another package and has no actual code.  Perhaps there is something I cannot see since all of the other bugs in the dependency chain are inaccessible to me, but if not then it looks like the bug wasn't filed against the proper package.