import numpy-1.14.2-13.module+el8.1.0+3323+7ac3e00f

2019-11-05 15:55:26 -05:00 · 2019-11-05 15:55:26 -05:00 · b36f6c6982
commit b36f6c6982
parent 83d8f48b37
3 changed files with 3055 additions and 5 deletions
--- a/SOURCES/numpy-1.14.2-CVE-2019-6446.patch
+++ b/SOURCES/numpy-1.14.2-CVE-2019-6446.patch
@ -0,0 +1,166 @@
+From 0fcfa065d900040c80628b31b8b6ea606c131086 Mon Sep 17 00:00:00 2001
+From: Paul Ivanov <pivanov5@bloomberg.net>
+Date: Wed, 30 Jan 2019 14:22:44 -0800
+Subject: [PATCH] BUG: load fails when using pickle without allow_pickle=True
+
+a partial mitigation of #12759.
+
+see also https://nvd.nist.gov/vuln/detail/CVE-2019-6446
+---
+ numpy/core/tests/test_regression.py |  2 +-
+ numpy/lib/format.py                 |  8 ++++++--
+ numpy/lib/npyio.py                  | 17 ++++++++++++-----
+ numpy/lib/tests/test_format.py      | 15 +++++++++------
+ numpy/lib/tests/test_io.py          |  2 +-
+ 5 files changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/numpy/core/tests/test_regression.py b/numpy/core/tests/test_regression.py
+index a3b0114..2be6bf3 100644
+--- a/numpy/core/tests/test_regression.py
+++ b/numpy/core/tests/test_regression.py
+@@ -96,7 +96,7 @@ class TestRegression(object):
+         ca = np.char.array(np.arange(1000, 1010), itemsize=4)
+         ca.dump(f)
+         f.seek(0)
+-        ca = np.load(f)
+        ca = np.load(f, allow_pickle=True)
+         f.close()
+ 
+     def test_noncontiguous_fill(self):
+diff --git a/numpy/lib/format.py b/numpy/lib/format.py
+index 363bb21..b91142c 100644
+--- a/numpy/lib/format.py
+++ b/numpy/lib/format.py
+@@ -602,7 +602,7 @@ def write_array(fp, array, version=None, allow_pickle=True, pickle_kwargs=None):
+                 fp.write(chunk.tobytes('C'))
+ 
+ 
+-def read_array(fp, allow_pickle=True, pickle_kwargs=None):
+def read_array(fp, allow_pickle=False, pickle_kwargs=None):
+     """
+     Read an array from an NPY file.
+ 
+@@ -612,7 +612,11 @@ def read_array(fp, allow_pickle=True, pickle_kwargs=None):
+         If this is not a real file object, then this may take extra memory
+         and time.
+     allow_pickle : bool, optional
+-        Whether to allow reading pickled data. Default: True
+        Whether to allow writing pickled data. Default: False
+
+        .. versionchanged:: 1.14.2
+            Made default False in response to CVE-2019-6446.
+
+     pickle_kwargs : dict
+         Additional keyword arguments to pass to pickle.load. These are only
+         useful when loading object arrays saved on Python 2 when using
+diff --git a/numpy/lib/npyio.py b/numpy/lib/npyio.py
+index 76b135c..c6522f5 100644
+--- a/numpy/lib/npyio.py
+++ b/numpy/lib/npyio.py
+@@ -130,7 +130,11 @@ class NpzFile(object):
+         An object on which attribute can be performed as an alternative
+         to getitem access on the `NpzFile` instance itself.
+     allow_pickle : bool, optional
+-        Allow loading pickled data. Default: True
+        Allow loading pickled data. Default: False
+
+        .. versionchanged:: 1.14.2
+            Made default False in response to CVE-2019-6446.
+
+     pickle_kwargs : dict, optional
+         Additional keyword arguments to pass on to pickle.load.
+         These are only useful when loading object arrays saved on
+@@ -166,7 +170,7 @@ class NpzFile(object):
+ 
+     """
+ 
+-    def __init__(self, fid, own_fid=False, allow_pickle=True,
+    def __init__(self, fid, own_fid=False, allow_pickle=False,
+                  pickle_kwargs=None):
+         # Import is postponed to here since zipfile depends on gzip, an
+         # optional component of the so-called standard library.
+@@ -265,7 +269,7 @@ class NpzFile(object):
+         return self.files.__contains__(key)
+ 
+ 
+-def load(file, mmap_mode=None, allow_pickle=True, fix_imports=True,
+def load(file, mmap_mode=None, allow_pickle=False, fix_imports=True,
+          encoding='ASCII'):
+     """
+     Load arrays or pickled objects from ``.npy``, ``.npz`` or pickled files.
+@@ -287,8 +291,11 @@ def load(file, mmap_mode=None, allow_pickle=True, fix_imports=True,
+         Allow loading pickled object arrays stored in npy files. Reasons for
+         disallowing pickles include security, as loading pickled data can
+         execute arbitrary code. If pickles are disallowed, loading object
+-        arrays will fail.
+-        Default: True
+        arrays will fail. Default: False
+
+        .. versionchanged:: 1.14.2
+            Made default False in response to CVE-2019-6446.
+
+     fix_imports : bool, optional
+         Only useful when loading Python 2 generated pickled files on Python 3,
+         which includes npy/npz files containing object arrays. If `fix_imports`
+diff --git a/numpy/lib/tests/test_format.py b/numpy/lib/tests/test_format.py
+index 2d2b4ce..04e090c 100644
+--- a/numpy/lib/tests/test_format.py
+++ b/numpy/lib/tests/test_format.py
+@@ -426,7 +426,7 @@ def roundtrip(arr):
+     f = BytesIO()
+     format.write_array(f, arr)
+     f2 = BytesIO(f.getvalue())
+-    arr2 = format.read_array(f2)
+    arr2 = format.read_array(f2, allow_pickle=True)
+     return arr2
+ 
+ 
+@@ -553,7 +553,7 @@ def test_pickle_python2_python3():
+         path = os.path.join(data_dir, fname)
+ 
+         for encoding in ['bytes', 'latin1']:
+-            data_f = np.load(path, encoding=encoding)
+            data_f = np.load(path, allow_pickle=True, encoding=encoding)
+             if fname.endswith('.npz'):
+                 data = data_f['x']
+                 data_f.close()
+@@ -575,16 +575,19 @@ def test_pickle_python2_python3():
+         if sys.version_info[0] >= 3:
+             if fname.startswith('py2'):
+                 if fname.endswith('.npz'):
+-                    data = np.load(path)
+                    data = np.load(path, allow_pickle=True)
+                     assert_raises(UnicodeError, data.__getitem__, 'x')
+                     data.close()
+-                    data = np.load(path, fix_imports=False, encoding='latin1')
+                    data = np.load(path, allow_pickle=True, fix_imports=False,
+                                   encoding='latin1')
+                     assert_raises(ImportError, data.__getitem__, 'x')
+                     data.close()
+                 else:
+-                    assert_raises(UnicodeError, np.load, path)
+                    assert_raises(UnicodeError, np.load, path,
+                                  allow_pickle=True)
+                     assert_raises(ImportError, np.load, path,
+-                                  encoding='latin1', fix_imports=False)
+                                  allow_pickle=True, fix_imports=False,
+                                  encoding='latin1')
+ 
+ 
+ def test_pickle_disallow():
+diff --git a/numpy/lib/tests/test_io.py b/numpy/lib/tests/test_io.py
+index 2daa015..bde2567 100644
+--- a/numpy/lib/tests/test_io.py
+++ b/numpy/lib/tests/test_io.py
+@@ -87,7 +87,7 @@ class RoundtripTest(object):
+ 
+         """
+         save_kwds = kwargs.get('save_kwds', {})
+-        load_kwds = kwargs.get('load_kwds', {})
+        load_kwds = kwargs.get('load_kwds', {"allow_pickle": True})
+         file_on_disk = kwargs.get('file_on_disk', False)
+ 
+         if file_on_disk:
+-- 
+2.21.0
+
--- a/SOURCES/numpy-1.14.2-float128.patch
+++ b/SOURCES/numpy-1.14.2-float128.patch
--- a/SPECS/numpy.spec
+++ b/SPECS/numpy.spec
@ -12,7 +12,7 @@

 Name:           numpy
 Version:        1.14.2
-Release:        10%{?dist}
+Release:        13%{?dist}
 Epoch:          1
 Summary:        A fast multidimensional array facility for Python

@ -21,7 +21,9 @@ Group:          Development/Languages
 License:        BSD and Python
 URL:            http://www.numpy.org/
 Source0:        https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Source1:	https://docs.scipy.org/doc/numpy/numpy-html-1.13.0.zip
+Source1:        https://docs.scipy.org/doc/numpy/numpy-html-1.13.0.zip
+Patch0:         numpy-1.14.2-float128.patch
+Patch1:         numpy-1.14.2-CVE-2019-6446.patch

 BuildRequires:  python2-devel lapack-devel python2-setuptools gcc-gfortran python2-nose
 BuildRequires:  /usr/bin/sed
@ -133,6 +135,8 @@ This package provides the complete documentation for NumPy.
 %prep
 %setup -q -n %{name}-%{version}%{?relc}
 #%setup -q -n numpy-cc2b04
+%patch0 -p1
+%patch1 -p1

 # workaround for rhbz#849713
 # http://mail.scipy.org/pipermail/numpy-discussion/2012-July/063530.html
@ -162,6 +166,7 @@ cp -a . %{py3dir}
 %endif

 %build
+%set_build_flags
 %if %{with python3}
 pushd %{py3dir}
 %ifarch %{openblas_arches}
@ -329,9 +334,21 @@ popd &> /dev/null


 %changelog
-* Wed Apr 03 2019 Tomas Orsava <torsava@redhat.com> - 1.14.2-10
- Bumping due to problems with modular RPM upgrade path (#1695587)
- Related: rhbz#1693974
+* Wed Jun 05 2019 Nikola Forró <nforro@redhat.com> - 1:1.14.2-13
+- Fix CVE-2019-6446
+- Resolves: rhbz#1668829
+
+* Thu May 30 2019 Charalampos Stratakis <cstratak@redhat.com> - 1.14.2-12
+- Set proper build flags for https://fedoraproject.org/wiki/Changes/Python_Extension_Flags
+- Resolves: rhbz#1715036
+
+* Thu May 30 2019 Nikola Forró <nforro@redhat.com> - 1.14.2-11
+- Fix broken float128 on all arches except x86_64
+- Resolves: rhbz#1688709
+
+* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 1.14.2-10
+- Bumping due to problems with modular RPM upgrade path
+- Resolves: rhbz#1695587

 * Tue Oct 09 2018 Lumír Balhar <lbalhar@redhat.com> - 1:1.14.2-9
 - Remove unversioned provides