Jakub Wilk found that f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py. The original report in the Debian bug tracking system (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778) notes the issue is in numpy/f2py/__init__.py: from numpy.distutils.exec_command import exec_command import tempfile if source_fn is None: fname = os.path.join(tempfile.mktemp()+'.f') else: fname = source_fn f = open(fname,'w')
CVE request: http://www.openwall.com/lists/oss-security/2014/02/06/3 No patch yet so I have not bothered to file any Fedora trackers etc yet
(In reply to Murray McAllister from comment #1) > No patch yet so I have not bothered to file any Fedora trackers etc yet There is a patch, which has already been merged upstream: https://github.com/numpy/numpy/pull/4262
Created numpy tracking bugs for this issue: Affects: fedora-all [bug 1062359]
(In reply to Thomas Spura from comment #4) > (In reply to Murray McAllister from comment #1) > > No patch yet so I have not bothered to file any Fedora trackers etc yet > > There is a patch, which has already been merged upstream: > https://github.com/numpy/numpy/pull/4262 Thanks Thomas!
(In reply to Thomas Spura from comment #4) > There is a patch, which has already been merged upstream: > https://github.com/numpy/numpy/pull/4262 Direct link to the commit in the upstream repository: https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15
Referring to https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 CVE-2014-1858 was assigned to the issue in the __init__.py file. CVE-2014-1859 was assigned to all other temporary file issues in the above commit. Reference: http://seclists.org/oss-sec/2014/q1/287
(In reply to Murray McAllister from comment #12) > Referring to > https://github.com/numpy/numpy/commit/ > 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 > > CVE-2014-1858 was assigned to the issue in the __init__.py file. > CVE-2014-1859 was assigned to all other temporary file issues in the above > commit. > > Reference: http://seclists.org/oss-sec/2014/q1/287 Both fixed in rawhide: http://koji.fedoraproject.org/koji/buildinfo?buildID=497182 First CVE can be fixed easily in f20 too. The second CVE is a bit more difficult to backport. Don't know, when I'll have time for that...
Created attachment 861439 [details] Backported patch for this CVE for numpy 1.7
Created numpy tracking bugs for this issue: Affects: epel-5 [bug 1064951]
Created python26-numpy tracking bugs for this issue: Affects: epel-5 [bug 1064952]
numpy-1.8.0-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
numpy-1.7.2-8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
ping, what's the latest here?
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.