Bug 1062009 - (CVE-2014-1858, CVE-2014-1859) CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use
CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140205,reported=2...
: Security
Depends On: 1062359 1062625 1062627 1062628 1064951 1064952
Blocks: 1062012
  Show dependency treegraph
 
Reported: 2014-02-05 22:53 EST by Murray McAllister
Modified: 2015-03-03 05:16 EST (History)
26 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-07 16:44:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Backported patch for this CVE for numpy 1.7 (5.64 KB, patch)
2014-02-10 10:28 EST, Tomas Tomecek
no flags Details | Diff

  None (edit)
Description Murray McAllister 2014-02-05 22:53:28 EST
Jakub Wilk found that f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py.

The original report in the Debian bug tracking system (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778) notes the issue is in numpy/f2py/__init__.py:

     from numpy.distutils.exec_command import exec_command
     import tempfile
     if source_fn is None:
         fname = os.path.join(tempfile.mktemp()+'.f')
     else:
         fname = source_fn

     f = open(fname,'w')
Comment 1 Murray McAllister 2014-02-05 23:01:10 EST
CVE request: http://www.openwall.com/lists/oss-security/2014/02/06/3

No patch yet so I have not bothered to file any Fedora trackers etc yet
Comment 4 Thomas Spura 2014-02-06 02:39:08 EST
(In reply to Murray McAllister from comment #1)
> No patch yet so I have not bothered to file any Fedora trackers etc yet

There is a patch, which has already been merged upstream:
https://github.com/numpy/numpy/pull/4262
Comment 5 Vincent Danen 2014-02-06 12:43:06 EST
Created numpy tracking bugs for this issue:

Affects: fedora-all [bug 1062359]
Comment 6 Murray McAllister 2014-02-06 17:50:18 EST
(In reply to Thomas Spura from comment #4)
> (In reply to Murray McAllister from comment #1)
> > No patch yet so I have not bothered to file any Fedora trackers etc yet
> 
> There is a patch, which has already been merged upstream:
> https://github.com/numpy/numpy/pull/4262

Thanks Thomas!
Comment 7 Tomas Hoger 2014-02-07 09:20:13 EST
(In reply to Thomas Spura from comment #4)
> There is a patch, which has already been merged upstream:
> https://github.com/numpy/numpy/pull/4262

Direct link to the commit in the upstream repository:

https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15
Comment 12 Murray McAllister 2014-02-09 21:39:50 EST
Referring to https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15

CVE-2014-1858 was assigned to the issue in the __init__.py file.
CVE-2014-1859 was assigned to all other temporary file issues in the above commit.

Reference: http://seclists.org/oss-sec/2014/q1/287
Comment 13 Thomas Spura 2014-02-10 05:35:53 EST
(In reply to Murray McAllister from comment #12)
> Referring to
> https://github.com/numpy/numpy/commit/
> 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15
> 
> CVE-2014-1858 was assigned to the issue in the __init__.py file.
> CVE-2014-1859 was assigned to all other temporary file issues in the above
> commit.
> 
> Reference: http://seclists.org/oss-sec/2014/q1/287

Both fixed in rawhide:
http://koji.fedoraproject.org/koji/buildinfo?buildID=497182

First CVE can be fixed easily in f20 too.
The second CVE is a bit more difficult to backport. Don't know, when I'll have time for that...
Comment 14 Tomas Tomecek 2014-02-10 10:28:57 EST
Created attachment 861439 [details]
Backported patch for this CVE for numpy 1.7
Comment 17 Tomas Hoger 2014-02-13 10:48:43 EST
Created numpy tracking bugs for this issue:

Affects: epel-5 [bug 1064951]
Comment 18 Tomas Hoger 2014-02-13 10:48:51 EST
Created python26-numpy tracking bugs for this issue:

Affects: epel-5 [bug 1064952]
Comment 19 Fedora Update System 2014-02-15 02:04:13 EST
numpy-1.8.0-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2014-02-21 19:36:25 EST
numpy-1.7.2-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Mike McGrath 2014-07-03 11:06:25 EDT
ping, what's the latest here?
Comment 25 Vincent Danen 2015-01-07 16:43:40 EST
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.