Bug#1033578: bullseye-pu: package joblib/0.17.0-4+deb11u1
Helmut Grohne
helmut at subdivi.de
Mon Mar 27 18:42:58 BST 2023
Package: release.debian.org
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: joblib at packages.debian.org, Chiara Marmo <marmochiaskl at gmail.com>, Graham Inggs <ginggs at debian.org>
Control: affects -1 + src:joblib
[ Reason ]
Fix no-dsa security vulnerability CVE-2022-21797.
[ Impact ]
The n_jobs parameter of the parallel_backend, which used to be a string
containing a Python expression, becomes restricted to fairly basic
arithmetic expressions. Using it in another way was not intended.
[ Tests ]
Upstream test suite is extended and run during build.
[ Risks ]
Someone may have used n_jobs in ways not intended by upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
I cherry-picked the relevant upstream commit and updated the hunk
context.
[ Other info ]
The security team tagged this vulnerability no-dsa.
Upstream had multiple attempts at fixing this and buster includes a
vulnerable patch. This cherry-pick skips the vulnerable patch and goes
to the real fix directly.
I am not interested in refining the updated (unless it also affects
buster). This is a drive-by contribution as part of an LTS upload.
Helmut
-------------- next part --------------
diff --minimal -Nru joblib-0.17.0/debian/changelog joblib-0.17.0/debian/changelog
--- joblib-0.17.0/debian/changelog 2021-06-12 10:19:09.000000000 +0200
+++ joblib-0.17.0/debian/changelog 2023-03-27 15:25:19.000000000 +0200
@@ -1,3 +1,10 @@
+joblib (0.17.0-4+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2022-21797 (Closes: #1020820)
+
+ -- Helmut Grohne <helmut at subdivi.de> Mon, 27 Mar 2023 15:25:19 +0200
+
joblib (0.17.0-4) unstable; urgency=medium
* Team upload
diff --minimal -Nru joblib-0.17.0/debian/patches/CVE-2022-21797.patch joblib-0.17.0/debian/patches/CVE-2022-21797.patch
--- joblib-0.17.0/debian/patches/CVE-2022-21797.patch 1970-01-01 01:00:00.000000000 +0100
+++ joblib-0.17.0/debian/patches/CVE-2022-21797.patch 2023-03-27 15:25:08.000000000 +0200
@@ -0,0 +1,121 @@
+From 54f4d21f098591c77b48c9acfffaa4cf0a45282b Mon Sep 17 00:00:00 2001
+From: Adrin Jalali <adrin.jalali at gmail.com>
+Date: Mon, 12 Sep 2022 17:17:28 +0200
+Subject: [PATCH] FIX parse pre-dispatch with AST instead of calling eval
+ (#1327)
+
+---
+ CHANGES.rst | 2 +-
+ joblib/_utils.py | 44 +++++++++++++++++++++++++++++++++++++++
+ joblib/parallel.py | 7 +++----
+ joblib/test/test_utils.py | 27 ++++++++++++++++++++++++
+ 4 files changed, 75 insertions(+), 5 deletions(-)
+ create mode 100644 joblib/_utils.py
+ create mode 100644 joblib/test/test_utils.py
+
+diff --git a/joblib/_utils.py b/joblib/_utils.py
+new file mode 100644
+index 000000000..2dbd4f636
+--- /dev/null
++++ b/joblib/_utils.py
+@@ -0,0 +1,44 @@
++# Adapted from https://stackoverflow.com/a/9558001/2536294
++
++import ast
++import operator as op
++
++# supported operators
++operators = {
++ ast.Add: op.add,
++ ast.Sub: op.sub,
++ ast.Mult: op.mul,
++ ast.Div: op.truediv,
++ ast.FloorDiv: op.floordiv,
++ ast.Mod: op.mod,
++ ast.Pow: op.pow,
++ ast.USub: op.neg,
++}
++
++
++def eval_expr(expr):
++ """
++ >>> eval_expr('2*6')
++ 12
++ >>> eval_expr('2**6')
++ 64
++ >>> eval_expr('1 + 2*3**(4) / (6 + -7)')
++ -161.0
++ """
++ try:
++ return eval_(ast.parse(expr, mode="eval").body)
++ except (TypeError, SyntaxError, KeyError) as e:
++ raise ValueError(
++ f"{expr!r} is not a valid or supported arithmetic expression."
++ ) from e
++
++
++def eval_(node):
++ if isinstance(node, ast.Num): # <number>
++ return node.n
++ elif isinstance(node, ast.BinOp): # <left> <operator> <right>
++ return operators[type(node.op)](eval_(node.left), eval_(node.right))
++ elif isinstance(node, ast.UnaryOp): # <operator> <operand> e.g., -1
++ return operators[type(node.op)](eval_(node.operand))
++ else:
++ raise TypeError(node)
+diff --git a/joblib/parallel.py b/joblib/parallel.py
+index 1c2fe18f7..6e7b1b19a 100644
+--- a/joblib/parallel.py
++++ b/joblib/parallel.py
+@@ -27,6 +27,7 @@
+ LokyBackend)
+ from .externals.cloudpickle import dumps, loads
+ from .externals import loky
++from ._utils import eval_expr
+
+ # Make sure that those two classes are part of the public joblib.parallel API
+ # so that 3rd party backend implementers can import them from here.
+@@ -1051,7 +1052,9 @@ def _batched_calls_reducer_callback():
+ else:
+ self._original_iterator = iterator
+ if hasattr(pre_dispatch, 'endswith'):
+- pre_dispatch = eval(pre_dispatch)
++ pre_dispatch = eval_expr(
++ pre_dispatch.replace("n_jobs", str(n_jobs))
++ )
+ self._pre_dispatch_amount = pre_dispatch = int(pre_dispatch)
+
+ # The main thread will consume the first pre_dispatch items and
+diff --git a/joblib/test/test_utils.py b/joblib/test/test_utils.py
+new file mode 100644
+index 000000000..4999a212c
+--- /dev/null
++++ b/joblib/test/test_utils.py
+@@ -0,0 +1,27 @@
++import pytest
++
++from joblib._utils import eval_expr
++
++
++ at pytest.mark.parametrize(
++ "expr",
++ ["exec('import os')", "print(1)", "import os", "1+1; import os", "1^1"],
++)
++def test_eval_expr_invalid(expr):
++ with pytest.raises(
++ ValueError, match="is not a valid or supported arithmetic"
++ ):
++ eval_expr(expr)
++
++
++ at pytest.mark.parametrize(
++ "expr, result",
++ [
++ ("2*6", 12),
++ ("2**6", 64),
++ ("1 + 2*3**(4) / (6 + -7)", -161.0),
++ ("(20 // 3) % 5", 1),
++ ],
++)
++def test_eval_expr_valid(expr, result):
++ assert eval_expr(expr) == result
diff --minimal -Nru joblib-0.17.0/debian/patches/series joblib-0.17.0/debian/patches/series
--- joblib-0.17.0/debian/patches/series 2021-05-05 12:10:28.000000000 +0200
+++ joblib-0.17.0/debian/patches/series 2023-03-27 15:25:08.000000000 +0200
@@ -2,3 +2,4 @@
deb_collect_ignore_setup
deb_test_memory
big-endian.patch
+CVE-2022-21797.patch
More information about the debian-science-maintainers
mailing list