Hello community, here is the log from the commit of package python-joblib for openSUSE:Factory checked in at 2019-06-01 09:56:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-joblib (Old) and /work/SRC/openSUSE:Factory/.python-joblib.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-joblib" Sat Jun 1 09:56:37 2019 rev:9 rq:706481 version:0.13.2 Changes: -------- --- /work/SRC/openSUSE:Factory/python-joblib/python-joblib.changes 2019-03-26 22:34:45.941671497 +0100 +++ /work/SRC/openSUSE:Factory/.python-joblib.new.5148/python-joblib.changes 2019-06-01 09:56:42.907176487 +0200 @@ -1,0 +2,7 @@ +Tue May 28 10:34:57 UTC 2019 - Tomáš Chvátal <[email protected]> + +- Switch to %pytest +- Add patch to work well with new numpy: + * numpy16.patch + +------------------------------------------------------------------- New: ---- numpy16.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-joblib.spec ++++++ --- /var/tmp/diff_new_pack.hwQ2WL/_old 2019-06-01 09:56:44.507175941 +0200 +++ /var/tmp/diff_new_pack.hwQ2WL/_new 2019-06-01 09:56:44.511175939 +0200 @@ -25,6 +25,7 @@ Group: Development/Languages/Python URL: https://github.com/joblib/joblib Source: https://files.pythonhosted.org/packages/source/j/joblib/joblib-%{version}.tar.gz +Patch0: numpy16.patch BuildRequires: %{python_module lz4} BuildRequires: %{python_module numpy} BuildRequires: %{python_module psutil} @@ -53,6 +54,7 @@ %prep %setup -q -n joblib-%{version} +%patch0 -p1 %build %python_build @@ -63,9 +65,7 @@ %check export LANG=en_US.UTF-8 -%{python_expand export PYTHONPATH=%{buildroot}%{$python_sitelib} -py.test-%{$python_bin_suffix} joblib -} +%pytest %files %{python_files} %license LICENSE.txt ++++++ numpy16.patch ++++++ >From 0f1f647a8e2310a2291ea9ffab8c8336fc01f2c7 Mon Sep 17 00:00:00 2001 From: Olivier Grisel <[email protected]> Date: Wed, 29 May 2019 15:52:38 +0200 Subject: [PATCH] DOC emphasize security sensitivity of joblib.load (#879) --- joblib/numpy_pickle.py | 4 ++++ joblib/numpy_pickle_compat.py | 14 +++++++++++--- 4 files changed, 44 insertions(+), 3 deletions(-) diff --git a/joblib/numpy_pickle.py b/joblib/numpy_pickle.py index bae0df31..bd807db2 100644 --- a/joblib/numpy_pickle.py +++ b/joblib/numpy_pickle.py @@ -550,6 +550,10 @@ def load(filename, mmap_mode=None): Read more in the :ref:`User Guide <persistence>`. + WARNING: joblib.load relies on the pickle module and can therefore + execute arbitrary Python code. It should therefore never be used + to load files from untrusted sources. + Parameters ----------- filename: str, pathlib.Path, or file object. diff --git a/joblib/numpy_pickle_compat.py b/joblib/numpy_pickle_compat.py index ba8ab827..d1532415 100644 --- a/joblib/numpy_pickle_compat.py +++ b/joblib/numpy_pickle_compat.py @@ -3,6 +3,8 @@ import pickle import os import zlib +import inspect + from io import BytesIO from ._compat import PY3_OR_LATER @@ -96,9 +98,15 @@ def read(self, unpickler): # use getattr instead of self.allow_mmap to ensure backward compat # with NDArrayWrapper instances pickled with joblib < 0.9.0 allow_mmap = getattr(self, 'allow_mmap', True) - memmap_kwargs = ({} if not allow_mmap - else {'mmap_mode': unpickler.mmap_mode}) - array = unpickler.np.load(filename, **memmap_kwargs) + kwargs = {} + if allow_mmap: + kwargs['mmap_mode'] = unpickler.mmap_mode + if "allow_pickle" in inspect.signature(unpickler.np.load).parameters: + # Required in numpy 1.16.3 and later to aknowledge the security + # risk. + kwargs["allow_pickle"] = True + array = unpickler.np.load(filename, **kwargs) + # Reconstruct subclasses. This does not work with old # versions of numpy if (hasattr(array, '__array_prepare__') and
