[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1033578: marked as done (bullseye-pu: package joblib/0.17.0-4+deb11u1)

Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id <502b8fb37ece620c9723446611a9287974ba5a0c.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1033578,
regarding bullseye-pu: package joblib/0.17.0-4+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1033578: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033578
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: joblib@packages.debian.org, Chiara Marmo <marmochiaskl@gmail.com>, Graham Inggs <ginggs@debian.org>
Control: affects -1 + src:joblib

[ Reason ]

Fix no-dsa security vulnerability CVE-2022-21797.

[ Impact ]

The n_jobs parameter of the parallel_backend, which used to be a string
containing a Python expression, becomes restricted to fairly basic
arithmetic expressions. Using it in another way was not intended.

[ Tests ]

Upstream test suite is extended and run during build.

[ Risks ]

Someone may have used n_jobs in ways not intended by upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

I cherry-picked the relevant upstream commit and updated the hunk
context.

[ Other info ]

The security team tagged this vulnerability no-dsa.

Upstream had multiple attempts at fixing this and buster includes a
vulnerable patch. This cherry-pick skips the vulnerable patch and goes
to the real fix directly.

I am not interested in refining the updated (unless it also affects
buster). This is a drive-by contribution as part of an LTS upload.

Helmut

diff --minimal -Nru joblib-0.17.0/debian/changelog joblib-0.17.0/debian/changelog
--- joblib-0.17.0/debian/changelog	2021-06-12 10:19:09.000000000 +0200
+++ joblib-0.17.0/debian/changelog	2023-03-27 15:25:19.000000000 +0200
@@ -1,3 +1,10 @@
+joblib (0.17.0-4+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2022-21797 (Closes: #1020820)
+
+ -- Helmut Grohne <helmut@subdivi.de>  Mon, 27 Mar 2023 15:25:19 +0200
+
 joblib (0.17.0-4) unstable; urgency=medium
 
   * Team upload
diff --minimal -Nru joblib-0.17.0/debian/patches/CVE-2022-21797.patch joblib-0.17.0/debian/patches/CVE-2022-21797.patch
--- joblib-0.17.0/debian/patches/CVE-2022-21797.patch	1970-01-01 01:00:00.000000000 +0100
+++ joblib-0.17.0/debian/patches/CVE-2022-21797.patch	2023-03-27 15:25:08.000000000 +0200
@@ -0,0 +1,121 @@
+From 54f4d21f098591c77b48c9acfffaa4cf0a45282b Mon Sep 17 00:00:00 2001
+From: Adrin Jalali <adrin.jalali@gmail.com>
+Date: Mon, 12 Sep 2022 17:17:28 +0200
+Subject: [PATCH] FIX parse pre-dispatch with AST instead of calling eval
+ (#1327)
+
+---
+ CHANGES.rst               |  2 +-
+ joblib/_utils.py          | 44 +++++++++++++++++++++++++++++++++++++++
+ joblib/parallel.py        |  7 +++----
+ joblib/test/test_utils.py | 27 ++++++++++++++++++++++++
+ 4 files changed, 75 insertions(+), 5 deletions(-)
+ create mode 100644 joblib/_utils.py
+ create mode 100644 joblib/test/test_utils.py
+
+diff --git a/joblib/_utils.py b/joblib/_utils.py
+new file mode 100644
+index 000000000..2dbd4f636
+--- /dev/null
++++ b/joblib/_utils.py
+@@ -0,0 +1,44 @@
++# Adapted from https://stackoverflow.com/a/9558001/2536294
++
++import ast
++import operator as op
++
++# supported operators
++operators = {
++    ast.Add: op.add,
++    ast.Sub: op.sub,
++    ast.Mult: op.mul,
++    ast.Div: op.truediv,
++    ast.FloorDiv: op.floordiv,
++    ast.Mod: op.mod,
++    ast.Pow: op.pow,
++    ast.USub: op.neg,
++}
++
++
++def eval_expr(expr):
++    """
++    >>> eval_expr('2*6')
++    12
++    >>> eval_expr('2**6')
++    64
++    >>> eval_expr('1 + 2*3**(4) / (6 + -7)')
++    -161.0
++    """
++    try:
++        return eval_(ast.parse(expr, mode="eval").body)
++    except (TypeError, SyntaxError, KeyError) as e:
++        raise ValueError(
++            f"{expr!r} is not a valid or supported arithmetic expression."
++        ) from e
++
++
++def eval_(node):
++    if isinstance(node, ast.Num):  # <number>
++        return node.n
++    elif isinstance(node, ast.BinOp):  # <left> <operator> <right>
++        return operators[type(node.op)](eval_(node.left), eval_(node.right))
++    elif isinstance(node, ast.UnaryOp):  # <operator> <operand> e.g., -1
++        return operators[type(node.op)](eval_(node.operand))
++    else:
++        raise TypeError(node)
+diff --git a/joblib/parallel.py b/joblib/parallel.py
+index 1c2fe18f7..6e7b1b19a 100644
+--- a/joblib/parallel.py
++++ b/joblib/parallel.py
+@@ -27,6 +27,7 @@
+                                  LokyBackend)
+ from .externals.cloudpickle import dumps, loads
+ from .externals import loky
++from ._utils import eval_expr
+ 
+ # Make sure that those two classes are part of the public joblib.parallel API
+ # so that 3rd party backend implementers can import them from here.
+@@ -1051,7 +1052,9 @@ def _batched_calls_reducer_callback():
+         else:
+             self._original_iterator = iterator
+             if hasattr(pre_dispatch, 'endswith'):
+-                pre_dispatch = eval(pre_dispatch)
++                pre_dispatch = eval_expr(
++                    pre_dispatch.replace("n_jobs", str(n_jobs))
++                )
+             self._pre_dispatch_amount = pre_dispatch = int(pre_dispatch)
+ 
+             # The main thread will consume the first pre_dispatch items and
+diff --git a/joblib/test/test_utils.py b/joblib/test/test_utils.py
+new file mode 100644
+index 000000000..4999a212c
+--- /dev/null
++++ b/joblib/test/test_utils.py
+@@ -0,0 +1,27 @@
++import pytest
++
++from joblib._utils import eval_expr
++
++
++@pytest.mark.parametrize(
++    "expr",
++    ["exec('import os')", "print(1)", "import os", "1+1; import os", "1^1"],
++)
++def test_eval_expr_invalid(expr):
++    with pytest.raises(
++        ValueError, match="is not a valid or supported arithmetic"
++    ):
++        eval_expr(expr)
++
++
++@pytest.mark.parametrize(
++    "expr, result",
++    [
++        ("2*6", 12),
++        ("2**6", 64),
++        ("1 + 2*3**(4) / (6 + -7)", -161.0),
++        ("(20 // 3) % 5", 1),
++    ],
++)
++def test_eval_expr_valid(expr, result):
++    assert eval_expr(expr) == result
diff --minimal -Nru joblib-0.17.0/debian/patches/series joblib-0.17.0/debian/patches/series
--- joblib-0.17.0/debian/patches/series	2021-05-05 12:10:28.000000000 +0200
+++ joblib-0.17.0/debian/patches/series	2023-03-27 15:25:08.000000000 +0200
@@ -2,3 +2,4 @@
 deb_collect_ignore_setup
 deb_test_memory
 big-endian.patch
+CVE-2022-21797.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.7

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.7 point release.

Regards,

Adam

--- End Message ---
Reply to: