[arch-commits] Commit in python-numpy/trunk (PKGBUILD numpy-insecure-mktemp-use.patch)
Date: Friday, April 4, 2014 @ 08:03:09 Author: fyan Revision: 209781 upgpkg: python-numpy 1.8.1-1 Modified: python-numpy/trunk/PKGBUILD Deleted: python-numpy/trunk/numpy-insecure-mktemp-use.patch -+ PKGBUILD| 14 -- numpy-insecure-mktemp-use.patch | 263 -- 2 files changed, 4 insertions(+), 273 deletions(-) Modified: PKGBUILD === --- PKGBUILD2014-04-04 05:24:27 UTC (rev 209780) +++ PKGBUILD2014-04-04 06:03:09 UTC (rev 209781) @@ -5,8 +5,8 @@ pkgbase=python-numpy pkgname=('python2-numpy' 'python-numpy') -pkgver=1.8.0 -pkgrel=3 +pkgver=1.8.1 +pkgrel=1 pkgdesc="Scientific tools for Python" arch=('i686' 'x86_64') license=('custom') @@ -13,16 +13,10 @@ url="http://www.numpy.org/"; makedepends=('lapack' 'python' 'python2' 'python-setuptools' 'python2-setuptools' 'gcc-fortran' 'python-nose' 'python2-nose') options=('staticlibs') -source=(http://downloads.sourceforge.net/numpy/numpy-${pkgver}.tar.gz -numpy-insecure-mktemp-use.patch) -md5sums=('2a4b0423a758706d592abb6721ec8dcd' - '2caf84740b54dcb5fa1d47e72201f294') +source=(http://downloads.sourceforge.net/numpy/numpy-${pkgver}.tar.gz) +md5sums=('be95babe263bfa3428363d6db5b64678') prepare() { - cd numpy-$pkgver - patch -Np1 -i ../numpy-insecure-mktemp-use.patch - cd .. - cp -a numpy-$pkgver numpy-py2-$pkgver cd numpy-py2-$pkgver Deleted: numpy-insecure-mktemp-use.patch === --- numpy-insecure-mktemp-use.patch 2014-04-04 05:24:27 UTC (rev 209780) +++ numpy-insecure-mktemp-use.patch 2014-04-04 06:03:09 UTC (rev 209781) @@ -1,263 +0,0 @@ a/numpy/lib/tests/test_io.py 2013-10-30 19:32:51.0 +0100 -+++ b/numpy/lib/tests/test_io.py 2014-02-10 08:30:12.903607138 +0100 -@@ -4,7 +4,9 @@ - import gzip - import os - import threading --from tempfile import mkstemp, mktemp, NamedTemporaryFile -+import shutil -+import contextlib -+from tempfile import mkstemp, mkdtemp, NamedTemporaryFile - import time - import warnings - import gc -@@ -21,6 +23,12 @@ - assert_raises, run_module_suite) - from numpy.testing import assert_warns, assert_, build_err_msg - -+@contextlib.contextmanager -+def tempdir(change_dir=False): -+tmpdir = mkdtemp() -+yield tmpdir -+shutil.rmtree(tmpdir) -+ - - class TextIO(BytesIO): - """Helper IO class. -@@ -145,14 +153,14 @@ - @np.testing.dec.slow - def test_big_arrays(self): - L = (1 << 31) + 10 --tmp = mktemp(suffix='.npz') - a = np.empty(L, dtype=np.uint8) --np.savez(tmp, a=a) --del a --npfile = np.load(tmp) --a = npfile['a'] --npfile.close() --os.remove(tmp) -+with tempdir() as tmpdir: -+tmp = open(os.path.join(tmpdir, "file.npz"), "w") -+np.savez(tmp, a=a) -+del a -+npfile = np.load(tmp) -+a = npfile['a'] -+npfile.close() - - def test_multiple_arrays(self): - a = np.array([[1, 2], [3, 4]], float) -commit 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 -Author: Julian Taylor -Date: Wed Feb 5 23:01:47 2014 +0100 - -ENH: remove insecure mktemp use - -mktemp only returns a filename, a malicous user could replace it before -it gets used. - -diff --git a/numpy/core/tests/test_memmap.py b/numpy/core/tests/test_memmap.py -index 6de6319..10e7a08 100644 a/numpy/core/tests/test_memmap.py -+++ b/numpy/core/tests/test_memmap.py -@@ -1,7 +1,7 @@ - from __future__ import division, absolute_import, print_function - - import sys --from tempfile import NamedTemporaryFile, TemporaryFile, mktemp -+from tempfile import NamedTemporaryFile, TemporaryFile - import os - - from numpy import memmap -@@ -33,12 +33,11 @@ class TestMemmap(TestCase): - assert_array_equal(self.data, newfp) - - def test_open_with_filename(self): --tmpname = mktemp('', 'mmap') --fp = memmap(tmpname, dtype=self.dtype, mode='w+', -- shape=self.shape) --fp[:] = self.data[:] --del fp --os.unlink(tmpname) -+with NamedTemporaryFile() as tmp: -+fp = memmap(tmp.name, dtype=self.dtype, mode='w+', -+shape=self.shape) -+fp[:] = self.data[:] -+del fp - - def test_unnamed_file(self): - with TemporaryFile() as f: -@@ -55,17 +54,16 @@ class TestMemmap(TestCase): - del fp - - def test_filename(self): --tmpname = mktemp('', 'mmap') --fp = memmap(tmpname, dtype=self.dtype, mode='w+', -- shape=self.shape) --abspath = os.path.abspath(tmpname) --fp[:] = self.data[:] --self.assertEqual(abspath, fp.filename) --b = fp[:1] --self.assertEqual(abspath, b.filename)
[arch-commits] Commit in python-numpy/trunk (PKGBUILD numpy-insecure-mktemp-use.patch)
Date: Tuesday, February 11, 2014 @ 13:33:07 Author: jgc Revision: 205835 upgpkg: python-numpy 1.8.0-2 Fix CVE2014-1858 and CVE2014-1859 (FS#38863) Added: python-numpy/trunk/numpy-insecure-mktemp-use.patch Modified: python-numpy/trunk/PKGBUILD -+ PKGBUILD| 12 + numpy-insecure-mktemp-use.patch | 263 ++ 2 files changed, 272 insertions(+), 3 deletions(-) Modified: PKGBUILD === --- PKGBUILD2014-02-11 11:49:26 UTC (rev 205834) +++ PKGBUILD2014-02-11 12:33:07 UTC (rev 205835) @@ -6,7 +6,7 @@ pkgbase=python-numpy pkgname=('python2-numpy' 'python-numpy') pkgver=1.8.0 -pkgrel=1 +pkgrel=2 pkgdesc="Scientific tools for Python" arch=('i686' 'x86_64') license=('custom') @@ -13,10 +13,16 @@ url="http://www.numpy.org/"; makedepends=('lapack' 'python' 'python2' 'python-setuptools' 'python2-setuptools' 'gcc-fortran' 'python-nose' 'python2-nose') options=('staticlibs') -source=(http://downloads.sourceforge.net/numpy/numpy-${pkgver}.tar.gz) -md5sums=('2a4b0423a758706d592abb6721ec8dcd') +source=(http://downloads.sourceforge.net/numpy/numpy-${pkgver}.tar.gz +numpy-insecure-mktemp-use.patch) +md5sums=('2a4b0423a758706d592abb6721ec8dcd' + '2caf84740b54dcb5fa1d47e72201f294') prepare() { + cd numpy-$pkgver + patch -Np1 -i ../numpy-insecure-mktemp-use.patch + cd .. + cp -a numpy-$pkgver numpy-py2-$pkgver cd numpy-py2-$pkgver Added: numpy-insecure-mktemp-use.patch === --- numpy-insecure-mktemp-use.patch (rev 0) +++ numpy-insecure-mktemp-use.patch 2014-02-11 12:33:07 UTC (rev 205835) @@ -0,0 +1,263 @@ +--- a/numpy/lib/tests/test_io.py 2013-10-30 19:32:51.0 +0100 b/numpy/lib/tests/test_io.py 2014-02-10 08:30:12.903607138 +0100 +@@ -4,7 +4,9 @@ + import gzip + import os + import threading +-from tempfile import mkstemp, mktemp, NamedTemporaryFile ++import shutil ++import contextlib ++from tempfile import mkstemp, mkdtemp, NamedTemporaryFile + import time + import warnings + import gc +@@ -21,6 +23,12 @@ + assert_raises, run_module_suite) + from numpy.testing import assert_warns, assert_, build_err_msg + ++@contextlib.contextmanager ++def tempdir(change_dir=False): ++tmpdir = mkdtemp() ++yield tmpdir ++shutil.rmtree(tmpdir) ++ + + class TextIO(BytesIO): + """Helper IO class. +@@ -145,14 +153,14 @@ + @np.testing.dec.slow + def test_big_arrays(self): + L = (1 << 31) + 10 +-tmp = mktemp(suffix='.npz') + a = np.empty(L, dtype=np.uint8) +-np.savez(tmp, a=a) +-del a +-npfile = np.load(tmp) +-a = npfile['a'] +-npfile.close() +-os.remove(tmp) ++with tempdir() as tmpdir: ++tmp = open(os.path.join(tmpdir, "file.npz"), "w") ++np.savez(tmp, a=a) ++del a ++npfile = np.load(tmp) ++a = npfile['a'] ++npfile.close() + + def test_multiple_arrays(self): + a = np.array([[1, 2], [3, 4]], float) +commit 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 +Author: Julian Taylor +Date: Wed Feb 5 23:01:47 2014 +0100 + +ENH: remove insecure mktemp use + +mktemp only returns a filename, a malicous user could replace it before +it gets used. + +diff --git a/numpy/core/tests/test_memmap.py b/numpy/core/tests/test_memmap.py +index 6de6319..10e7a08 100644 +--- a/numpy/core/tests/test_memmap.py b/numpy/core/tests/test_memmap.py +@@ -1,7 +1,7 @@ + from __future__ import division, absolute_import, print_function + + import sys +-from tempfile import NamedTemporaryFile, TemporaryFile, mktemp ++from tempfile import NamedTemporaryFile, TemporaryFile + import os + + from numpy import memmap +@@ -33,12 +33,11 @@ class TestMemmap(TestCase): + assert_array_equal(self.data, newfp) + + def test_open_with_filename(self): +-tmpname = mktemp('', 'mmap') +-fp = memmap(tmpname, dtype=self.dtype, mode='w+', +- shape=self.shape) +-fp[:] = self.data[:] +-del fp +-os.unlink(tmpname) ++with NamedTemporaryFile() as tmp: ++fp = memmap(tmp.name, dtype=self.dtype, mode='w+', ++shape=self.shape) ++fp[:] = self.data[:] ++del fp + + def test_unnamed_file(self): + with TemporaryFile() as f: +@@ -55,17 +54,16 @@ class TestMemmap(TestCase): + del fp + + def test_filename(self): +-tmpname = mktemp('', 'mmap') +-fp = memmap(tmpname, dtype=self.dtype, mode='w+', +- shape=self.shape) +-abspath = os.path.abspath(tmpname) +-fp[:] = self.data[:] +-self.assertEqual(abspath, fp.filename) +-b = fp[:1] +-self.assertEq