NumPy 1.16.6+security.2: backport CVE-2021-41496 (f2py array_from_pyobj)#9
Open
icanhasmath wants to merge 2 commits into
Open
NumPy 1.16.6+security.2: backport CVE-2021-41496 (f2py array_from_pyobj)#9icanhasmath wants to merge 2 commits into
icanhasmath wants to merge 2 commits into
Conversation
array_from_pyobj() built its "must have defined dimensions" error string by strcpy-ing a fixed prefix into a 200-byte stack buffer `mess` and then sprintf-ing each of up to F2PY_MAX_DIMS (40) dimension values into it in a loop, followed by a strcat. With enough negative dimensions this overflows the fixed stack buffer (CVE-2021-41496 / GHSA-f7c7-j99h-c22f; local DoS). Port the upstream fix (numpy/numpy 271010f, PR numpy#20630, closes numpygh-19000): replace count_negative_dimensions() with find_first_negative_dimension() and emit the error via a single bounded PyErr_Format() reporting the first offending dimension, removing the unbounded strcpy/sprintf-loop/strcat. Kept a C89-style loop-variable declaration (this fork targets older MSVC; cf. the CVE-2021-41495 compiler-compat fixups) and verified declaration-after- statement clean. PyErr_Format and NPY_INTP_FMT are available in 1.16.6. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ActiveState security release on the 1.16.6 line, backporting the CVE-2021-41496 fix in f2py array_from_pyobj. - Bump the version to the PEP 440 local form 1.16.6+security.2 in setup.py so the installed package self-reports the security level (N counts AS security releases on this line; 1.16.6.1 == security.1). Verified NumpyVersion() tolerates the +local label (its leading-version regex is unanchored). - Add doc/release/1.16.6+security.2-notes.rst and the matching changelog, recording the CVE-2021-41496 fix plus the two advisories assessed as not applicable (CVE-2021-33430 already mitigated here; CVE-2021-34141 disputed, no security impact / no upstream fix). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ActiveState security release on the 1.16.6 line (DE-8118).
Fixed
array_from_pyobjerror path: it built a "must have defined dimensions" message into a fixed 200-bytemess[]buffer viastrcpy+ asprintfloop over up toF2PY_MAX_DIMS(40) dims +strcat, which can overflow with enough negative dimensions (local DoS). Backported upstream271010f1037150e9(PR BUG: f2py: Simplify creation of an exception message. numpy/numpy#20630, closes Potential buffer-overflow from string operations in function array_from_pyobj of fortranobject.c numpy/numpy#19000): replacescount_negative_dimensions()withfind_first_negative_dimension()and emits a single boundedPyErr_Format(). Kept a C89-style loop var for older-MSVC compatibility (cf. the CVE-2021-41495 compiler fixups).Assessed — not applicable (table-only)
nd > NPY_MAXDIMSguard is present atctors.c:934, ahead of thedescr->subarraymemcpy.strncmponly affects aDeprecationWarning, not the resolved dtype. No upstream security fix.Release
1.16.6+security.2insetup.pyso the installed package self-reports the security level (1.16.6.1== security.1).doc/release/1.16.6+security.2-notes.rst+ changelog.Validation
C89 syntax-checked (incl.
-Wdeclaration-after-statement);setup.pycompiles and reports1.16.6+security.2;NumpyVersion()tolerates the+locallabel. The f2py change is not runnable in this environment (build-generated_numpyconfig.h); it relies on the build pipeline (upstream shipped the same change without an added test).