Bug#1052454: numexpr: unnecessarily disables security check
Rebecca N. Palmer
rebecca_palmer at zoho.com
Fri Sep 22 12:16:26 BST 2023
Package: python3-numexpr
Version: 2.8.6-2
Severity: serious
Justification: block testing migration of a known security hole
Tags: patch
numexpr 2.8.5 introduced a security check, which was initially buggy
enough to break pyfai and pandas (#1049326). Fixes for this were sent
upstream, but only some of them made it into numexpr 2.8.6.
Hence, Debian 2.8.6-2 disabled this security check. However, this is
not actually necessary to fix these bugs, and reopens a code execution
security hole if numexpr is used to parse untrusted input.
This is fixed by the fix1049326v2 branch in Salsa. This fix has also
been sent upstream as https://github.com/pydata/numexpr/pull/452.
(Sorry that this didn't get to you earlier - I tried to post to
#1049326, and didn't notice the error message that posting to archived
bugs is not allowed.)
More information about the debian-science-maintainers
mailing list