Your message dated Sat, 29 Apr 2023 10:54:14 +0100
with message-id
<502b8fb37ece620c9723446611a9287974ba5a0c.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.7
has caused the Debian Bug report #1033578,
regarding bullseye-pu: package joblib/0.17.0-4+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033578: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033578
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], Chiara Marmo
<[email protected]>, Graham Inggs <[email protected]>
Control: affects -1 + src:joblib
[ Reason ]
Fix no-dsa security vulnerability CVE-2022-21797.
[ Impact ]
The n_jobs parameter of the parallel_backend, which used to be a string
containing a Python expression, becomes restricted to fairly basic
arithmetic expressions. Using it in another way was not intended.
[ Tests ]
Upstream test suite is extended and run during build.
[ Risks ]
Someone may have used n_jobs in ways not intended by upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
I cherry-picked the relevant upstream commit and updated the hunk
context.
[ Other info ]
The security team tagged this vulnerability no-dsa.
Upstream had multiple attempts at fixing this and buster includes a
vulnerable patch. This cherry-pick skips the vulnerable patch and goes
to the real fix directly.
I am not interested in refining the updated (unless it also affects
buster). This is a drive-by contribution as part of an LTS upload.
Helmut
diff --minimal -Nru joblib-0.17.0/debian/changelog
joblib-0.17.0/debian/changelog
--- joblib-0.17.0/debian/changelog 2021-06-12 10:19:09.000000000 +0200
+++ joblib-0.17.0/debian/changelog 2023-03-27 15:25:19.000000000 +0200
@@ -1,3 +1,10 @@
+joblib (0.17.0-4+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2022-21797 (Closes: #1020820)
+
+ -- Helmut Grohne <[email protected]> Mon, 27 Mar 2023 15:25:19 +0200
+
joblib (0.17.0-4) unstable; urgency=medium
* Team upload
diff --minimal -Nru joblib-0.17.0/debian/patches/CVE-2022-21797.patch
joblib-0.17.0/debian/patches/CVE-2022-21797.patch
--- joblib-0.17.0/debian/patches/CVE-2022-21797.patch 1970-01-01
01:00:00.000000000 +0100
+++ joblib-0.17.0/debian/patches/CVE-2022-21797.patch 2023-03-27
15:25:08.000000000 +0200
@@ -0,0 +1,121 @@
+From 54f4d21f098591c77b48c9acfffaa4cf0a45282b Mon Sep 17 00:00:00 2001
+From: Adrin Jalali <[email protected]>
+Date: Mon, 12 Sep 2022 17:17:28 +0200
+Subject: [PATCH] FIX parse pre-dispatch with AST instead of calling eval
+ (#1327)
+
+---
+ CHANGES.rst | 2 +-
+ joblib/_utils.py | 44 +++++++++++++++++++++++++++++++++++++++
+ joblib/parallel.py | 7 +++----
+ joblib/test/test_utils.py | 27 ++++++++++++++++++++++++
+ 4 files changed, 75 insertions(+), 5 deletions(-)
+ create mode 100644 joblib/_utils.py
+ create mode 100644 joblib/test/test_utils.py
+
+diff --git a/joblib/_utils.py b/joblib/_utils.py
+new file mode 100644
+index 000000000..2dbd4f636
+--- /dev/null
++++ b/joblib/_utils.py
+@@ -0,0 +1,44 @@
++# Adapted from https://stackoverflow.com/a/9558001/2536294
++
++import ast
++import operator as op
++
++# supported operators
++operators = {
++ ast.Add: op.add,
++ ast.Sub: op.sub,
++ ast.Mult: op.mul,
++ ast.Div: op.truediv,
++ ast.FloorDiv: op.floordiv,
++ ast.Mod: op.mod,
++ ast.Pow: op.pow,
++ ast.USub: op.neg,
++}
++
++
++def eval_expr(expr):
++ """
++ >>> eval_expr('2*6')
++ 12
++ >>> eval_expr('2**6')
++ 64
++ >>> eval_expr('1 + 2*3**(4) / (6 + -7)')
++ -161.0
++ """
++ try:
++ return eval_(ast.parse(expr, mode="eval").body)
++ except (TypeError, SyntaxError, KeyError) as e:
++ raise ValueError(
++ f"{expr!r} is not a valid or supported arithmetic expression."
++ ) from e
++
++
++def eval_(node):
++ if isinstance(node, ast.Num): # <number>
++ return node.n
++ elif isinstance(node, ast.BinOp): # <left> <operator> <right>
++ return operators[type(node.op)](eval_(node.left), eval_(node.right))
++ elif isinstance(node, ast.UnaryOp): # <operator> <operand> e.g., -1
++ return operators[type(node.op)](eval_(node.operand))
++ else:
++ raise TypeError(node)
+diff --git a/joblib/parallel.py b/joblib/parallel.py
+index 1c2fe18f7..6e7b1b19a 100644
+--- a/joblib/parallel.py
++++ b/joblib/parallel.py
+@@ -27,6 +27,7 @@
+ LokyBackend)
+ from .externals.cloudpickle import dumps, loads
+ from .externals import loky
++from ._utils import eval_expr
+
+ # Make sure that those two classes are part of the public joblib.parallel API
+ # so that 3rd party backend implementers can import them from here.
+@@ -1051,7 +1052,9 @@ def _batched_calls_reducer_callback():
+ else:
+ self._original_iterator = iterator
+ if hasattr(pre_dispatch, 'endswith'):
+- pre_dispatch = eval(pre_dispatch)
++ pre_dispatch = eval_expr(
++ pre_dispatch.replace("n_jobs", str(n_jobs))
++ )
+ self._pre_dispatch_amount = pre_dispatch = int(pre_dispatch)
+
+ # The main thread will consume the first pre_dispatch items and
+diff --git a/joblib/test/test_utils.py b/joblib/test/test_utils.py
+new file mode 100644
+index 000000000..4999a212c
+--- /dev/null
++++ b/joblib/test/test_utils.py
+@@ -0,0 +1,27 @@
++import pytest
++
++from joblib._utils import eval_expr
++
++
[email protected](
++ "expr",
++ ["exec('import os')", "print(1)", "import os", "1+1; import os", "1^1"],
++)
++def test_eval_expr_invalid(expr):
++ with pytest.raises(
++ ValueError, match="is not a valid or supported arithmetic"
++ ):
++ eval_expr(expr)
++
++
[email protected](
++ "expr, result",
++ [
++ ("2*6", 12),
++ ("2**6", 64),
++ ("1 + 2*3**(4) / (6 + -7)", -161.0),
++ ("(20 // 3) % 5", 1),
++ ],
++)
++def test_eval_expr_valid(expr, result):
++ assert eval_expr(expr) == result
diff --minimal -Nru joblib-0.17.0/debian/patches/series
joblib-0.17.0/debian/patches/series
--- joblib-0.17.0/debian/patches/series 2021-05-05 12:10:28.000000000 +0200
+++ joblib-0.17.0/debian/patches/series 2023-03-27 15:25:08.000000000 +0200
@@ -2,3 +2,4 @@
deb_collect_ignore_setup
deb_test_memory
big-endian.patch
+CVE-2022-21797.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.7
Hi,
Each of the updates referred to in these requests was included in this
morning's 11.7 point release.
Regards,
Adam
--- End Message ---
