[incubator-mxnet] branch v1.9.x updated: [v1.9.x] [BUGFIX] Upgrade numpy to <1.20.0 to avoid security vulnerabilities affecting numpy<1.19.1 (#20940)

Thu, 10 Mar 2022 12:19:11 -0800 

This is an automated email from the ASF dual-hosted git repository.

dickjc123 pushed a commit to branch v1.9.x
in repository https://gitbox.apache.org/repos/asf/incubator-mxnet.git


The following commit(s) were added to refs/heads/v1.9.x by this push:
     new 67467f8  [v1.9.x] [BUGFIX] Upgrade numpy to <1.20.0 to avoid security 
vulnerabilities affecting numpy<1.19.1 (#20940)
67467f8 is described below

commit 67467f81573b0db822020496e2b58c812ea2d447
Author: Dick Carter <[email protected]>
AuthorDate: Thu Mar 10 12:17:08 2022 -0800

    [v1.9.x] [BUGFIX] Upgrade numpy to <1.20.0 to avoid security 
vulnerabilities affecting numpy<1.19.1 (#20940)
    
    * Pin numpy==1.19.1 to demonstrate issues
    
    * Relax min numpy version
    
    * Make test_np_array_function_protocol delete() testing work with 
numpy>=1.19
    
    * Fix test_np_delete to also work with numpy>=1.19
    
    * Pip install python module 'packaging'
    
    * More pip-install 'packaging'
    
    * Update windows requirements.txt
    
    * Allow numpy as advanced as 1.19.5
---
 ci/docker/install/centos7_python.sh                  | 4 ++--
 ci/docker/install/requirements                       | 4 +++-
 ci/docker/install/requirements_aarch64               | 1 +
 ci/docker/install/ubuntu_onnx.sh                     | 5 +++--
 ci/docker/install/ubuntu_publish.sh                  | 4 ++--
 ci/travis/install.sh                                 | 4 ++--
 tests/python/unittest/test_numpy_interoperability.py | 8 +++++---
 tests/python/unittest/test_numpy_op.py               | 7 +++++++
 tests/requirements.txt                               | 4 +++-
 9 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/ci/docker/install/centos7_python.sh 
b/ci/docker/install/centos7_python.sh
index b7082d3..a90e2f6 100755
--- a/ci/docker/install/centos7_python.sh
+++ b/ci/docker/install/centos7_python.sh
@@ -29,5 +29,5 @@ yum -y install python36u
 # Install PIP
 curl "https://bootstrap.pypa.io/pip/3.6/get-pip.py"; -o "get-pip.py"
 python3.6 get-pip.py
-# Restrict numpy version to < 1.19.0 due to 
https://github.com/apache/incubator-mxnet/issues/18600
-python3.6 -m pip install nose pylint 'numpy>1.16.0,<1.19.0' nose-timer 
requests 'h5py<3' scipy==1.2.3
+# Allow numpy version as advanced as 1.19.5 to avoid CVE-2021-41495 and 
CVE-2021-41496 affecting <1.19.1.
+python3.6 -m pip install nose pylint 'numpy>=1.16.0,<1.20.0' nose-timer 
requests 'h5py<3' scipy==1.2.3 packaging
diff --git a/ci/docker/install/requirements b/ci/docker/install/requirements
index 463a7f9..3068b9f 100644
--- a/ci/docker/install/requirements
+++ b/ci/docker/install/requirements
@@ -26,10 +26,12 @@ h5py<3
 mock==2.0.0
 nose==1.3.7
 nose-timer==0.7.3
-numpy>1.16.0,<1.19.0  # Restrict numpy version to < 1.19.0 due to 
https://github.com/apache/incubator-mxnet/issues/18600
+# Allow numpy version as advanced as 1.19.5 to avoid CVE-2021-41495 and 
CVE-2021-41496 affecting <1.19.1.
+numpy>=1.16.0,<1.20.0
 pylint==2.3.1  # pylint and astroid need to be aligned
 astroid==2.3.3  # pylint and astroid need to be aligned
 requests<2.19.0,>=2.18.4
 scipy==1.2.1
 setuptools
 coverage
+packaging
diff --git a/ci/docker/install/requirements_aarch64 
b/ci/docker/install/requirements_aarch64
index 1cfead0..6f45950 100644
--- a/ci/docker/install/requirements_aarch64
+++ b/ci/docker/install/requirements_aarch64
@@ -31,3 +31,4 @@ requests<2.19.0,>=2.18.4
 setuptools
 coverage
 wheel
+packaging
diff --git a/ci/docker/install/ubuntu_onnx.sh b/ci/docker/install/ubuntu_onnx.sh
index da59b52..6735108 100755
--- a/ci/docker/install/ubuntu_onnx.sh
+++ b/ci/docker/install/ubuntu_onnx.sh
@@ -18,7 +18,7 @@
 # under the License.
 
 ######################################################################
-# This script installs ONNX for Python along with all required dependencies 
+# This script installs ONNX for Python along with all required dependencies
 # on a Ubuntu Machine.
 # Tested on Ubuntu 16.04 distro.
 ######################################################################
@@ -30,4 +30,5 @@ echo "Installing libprotobuf-dev and protobuf-compiler ..."
 apt-get update || true
 apt-get install -y libprotobuf-dev protobuf-compiler
 
-pip3 install pytest==6.2.2 pytest-cov==2.11.1 pytest-xdist==2.2.1 
protobuf==3.13.0 onnx==1.8.1 Pillow==5.0.0 tabulate==0.7.5 onnxruntime==1.7.0 
'numpy>1.16.0,<1.19.0' gluonnlp==0.10.0 gluoncv==0.8.0
+# Allow numpy version as advanced as 1.19.5 to avoid CVE-2021-41495 and 
CVE-2021-41496 affecting <1.19.1.
+pip3 install pytest==6.2.2 pytest-cov==2.11.1 pytest-xdist==2.2.1 
protobuf==3.13.0 onnx==1.8.1 Pillow==5.0.0 tabulate==0.7.5 onnxruntime==1.7.0 
'numpy>=1.16.0,<1.20.0' gluonnlp==0.10.0 gluoncv==0.8.0 packaging
diff --git a/ci/docker/install/ubuntu_publish.sh 
b/ci/docker/install/ubuntu_publish.sh
index 3eb949b..b5a8906 100755
--- a/ci/docker/install/ubuntu_publish.sh
+++ b/ci/docker/install/ubuntu_publish.sh
@@ -84,8 +84,8 @@ apt-get install -y python python-pip python3 python3-pip
 # Restrict pip version to <19 due to use of Python 3.4 on Ubuntu 14.04
 python3 -m pip install --upgrade 'pip<19'
 
-# Restrict numpy version to <1.18 due to use of Python 3.4 on Ubuntu 14.04
-python3 -m pip install --upgrade --ignore-installed nose cpplint==1.3.0 
pylint==2.3.1 'numpy>1.16.0,<1.18' nose-timer 'requests<2.19.0,>=2.18.4' 
'h5py<3' scipy==1.0.1 boto3
+# Allow numpy version as advanced as 1.19.5 to avoid CVE-2021-41495 and 
CVE-2021-41496 affecting <1.19.1.
+python3 -m pip install --upgrade --ignore-installed nose cpplint==1.3.0 
pylint==2.3.1 'numpy>=1.16.0,<1.20.0' nose-timer 'requests<2.19.0,>=2.18.4' 
'h5py<3' scipy==1.0.1 boto3 packaging
 
 # CMake 3.13.2+ is required
 mkdir /opt/cmake && cd /opt/cmake
diff --git a/ci/travis/install.sh b/ci/travis/install.sh
index e1f7c2d..5458e5c 100644
--- a/ci/travis/install.sh
+++ b/ci/travis/install.sh
@@ -22,6 +22,6 @@ export HOMEBREW_NO_AUTO_UPDATE=1
 
 if [ ${TRAVIS_OS_NAME} == "osx" ]; then
     brew install opencv
-    # Restrict numpy version to < 1.19.0 due to 
https://github.com/apache/incubator-mxnet/issues/18600
-    python -m pip install --user nose 'numpy>1.16.0,<1.19.0' cython scipy 
requests mock nose-timer nose-exclude mxnet-to-coreml
+    # Allow numpy version as advanced as 1.19.5 to avoid CVE-2021-41495 and 
CVE-2021-41496 affecting <1.19.1.
+    python -m pip install --user nose 'numpy>=1.16.0,<1.20.0' cython scipy 
requests mock nose-timer nose-exclude mxnet-to-coreml packaging
 fi
diff --git a/tests/python/unittest/test_numpy_interoperability.py 
b/tests/python/unittest/test_numpy_interoperability.py
index fd8abf1..3c321c3 100644
--- a/tests/python/unittest/test_numpy_interoperability.py
+++ b/tests/python/unittest/test_numpy_interoperability.py
@@ -1194,10 +1194,12 @@ def _add_workload_delete():
                 s = slice(start, stop, step)
                 OpArgMngr.add_workload('delete', a, s)
                 OpArgMngr.add_workload('delete', nd_a, s, axis=1)
-    OpArgMngr.add_workload('delete', a, np.array([]), axis=0)
+    # mxnet.numpy arrays, even 0-sized, have a float32 dtype.  Starting with 
numpy 1.19, the
+    # index array's of delete() must be of integer or boolean type, so we 
force that below.
+    OpArgMngr.add_workload('delete', a, np.array([], dtype='int32'), axis=0)
     OpArgMngr.add_workload('delete', a, 0)
-    OpArgMngr.add_workload('delete', a, np.array([]))
-    OpArgMngr.add_workload('delete', a, np.array([0, 1]))
+    OpArgMngr.add_workload('delete', a, np.array([], dtype='int32'))
+    OpArgMngr.add_workload('delete', a, np.array([0, 1], dtype='int32'))
     OpArgMngr.add_workload('delete', a, slice(1, 2))
     OpArgMngr.add_workload('delete', a, slice(1, -2))
     k = np.arange(10).reshape(2, 5)
diff --git a/tests/python/unittest/test_numpy_op.py 
b/tests/python/unittest/test_numpy_op.py
index add0620..c1f899d 100644
--- a/tests/python/unittest/test_numpy_op.py
+++ b/tests/python/unittest/test_numpy_op.py
@@ -26,6 +26,7 @@ import platform
 import mxnet as mx
 import scipy.stats as ss
 import scipy.special as scipy_special
+from packaging.version import parse
 from nose.tools import assert_raises
 from mxnet import np, npx
 from mxnet.gluon import HybridBlock
@@ -3622,6 +3623,12 @@ def test_np_delete():
             if type(obj) == list:
                 obj_mxnp = np.array(obj, dtype=objtype)
                 obj_onp = _np.array(obj, dtype=objtype)
+                # To match mxnet.numpy's behavior of ignoring out-of-bounds 
indices,
+                # we may need to filter out indices that this numpy would not 
ignore.
+                onp_ignores_oob_indices = parse(_np.version.version) < 
parse('1.19')
+                if not onp_ignores_oob_indices:
+                    dim_size = GetDimSize(arr_shape,axis)
+                    obj_onp = obj_onp[((obj_onp>=0) & (obj_onp<dim_size))]
             elif type(obj) == slice:
                 obj_mxnp = obj
                 obj_onp = obj
diff --git a/tests/requirements.txt b/tests/requirements.txt
index 679d2aa..a58e4b4 100644
--- a/tests/requirements.txt
+++ b/tests/requirements.txt
@@ -4,6 +4,8 @@ mock
 nose
 nose-timer
 ipython
-numpy>1.16.0,<1.19.0  # Restrict numpy version to < 1.19.0 due to 
https://github.com/apache/incubator-mxnet/issues/18600
+# Allow numpy version as advanced as 1.19.5 to avoid CVE-2021-41495 and 
CVE-2021-41496 affecting <1.19.1.
+numpy>=1.16.0,<1.20.0
 scipy<1.7.0 # Restrict scipy version due to 
https://github.com/apache/incubator-mxnet/issues/20389
 onnxruntime
+packaging

Reply via email to