Package: release.debian.org Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: job...@packages.debian.org, Chiara Marmo <marmochia...@gmail.com>, Graham Inggs <gin...@debian.org> Control: affects -1 + src:joblib
[ Reason ] Fix no-dsa security vulnerability CVE-2022-21797. [ Impact ] The n_jobs parameter of the parallel_backend, which used to be a string containing a Python expression, becomes restricted to fairly basic arithmetic expressions. Using it in another way was not intended. [ Tests ] Upstream test suite is extended and run during build. [ Risks ] Someone may have used n_jobs in ways not intended by upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] I cherry-picked the relevant upstream commit and updated the hunk context. [ Other info ] The security team tagged this vulnerability no-dsa. Upstream had multiple attempts at fixing this and buster includes a vulnerable patch. This cherry-pick skips the vulnerable patch and goes to the real fix directly. I am not interested in refining the updated (unless it also affects buster). This is a drive-by contribution as part of an LTS upload. Helmut
diff --minimal -Nru joblib-0.17.0/debian/changelog joblib-0.17.0/debian/changelog --- joblib-0.17.0/debian/changelog 2021-06-12 10:19:09.000000000 +0200 +++ joblib-0.17.0/debian/changelog 2023-03-27 15:25:19.000000000 +0200 @@ -1,3 +1,10 @@ +joblib (0.17.0-4+deb11u1) bullseye; urgency=high + + * Non-maintainer upload. + * Fix CVE-2022-21797 (Closes: #1020820) + + -- Helmut Grohne <hel...@subdivi.de> Mon, 27 Mar 2023 15:25:19 +0200 + joblib (0.17.0-4) unstable; urgency=medium * Team upload diff --minimal -Nru joblib-0.17.0/debian/patches/CVE-2022-21797.patch joblib-0.17.0/debian/patches/CVE-2022-21797.patch --- joblib-0.17.0/debian/patches/CVE-2022-21797.patch 1970-01-01 01:00:00.000000000 +0100 +++ joblib-0.17.0/debian/patches/CVE-2022-21797.patch 2023-03-27 15:25:08.000000000 +0200 @@ -0,0 +1,121 @@ +From 54f4d21f098591c77b48c9acfffaa4cf0a45282b Mon Sep 17 00:00:00 2001 +From: Adrin Jalali <adrin.jal...@gmail.com> +Date: Mon, 12 Sep 2022 17:17:28 +0200 +Subject: [PATCH] FIX parse pre-dispatch with AST instead of calling eval + (#1327) + +--- + CHANGES.rst | 2 +- + joblib/_utils.py | 44 +++++++++++++++++++++++++++++++++++++++ + joblib/parallel.py | 7 +++---- + joblib/test/test_utils.py | 27 ++++++++++++++++++++++++ + 4 files changed, 75 insertions(+), 5 deletions(-) + create mode 100644 joblib/_utils.py + create mode 100644 joblib/test/test_utils.py + +diff --git a/joblib/_utils.py b/joblib/_utils.py +new file mode 100644 +index 000000000..2dbd4f636 +--- /dev/null ++++ b/joblib/_utils.py +@@ -0,0 +1,44 @@ ++# Adapted from https://stackoverflow.com/a/9558001/2536294 ++ ++import ast ++import operator as op ++ ++# supported operators ++operators = { ++ ast.Add: op.add, ++ ast.Sub: op.sub, ++ ast.Mult: op.mul, ++ ast.Div: op.truediv, ++ ast.FloorDiv: op.floordiv, ++ ast.Mod: op.mod, ++ ast.Pow: op.pow, ++ ast.USub: op.neg, ++} ++ ++ ++def eval_expr(expr): ++ """ ++ >>> eval_expr('2*6') ++ 12 ++ >>> eval_expr('2**6') ++ 64 ++ >>> eval_expr('1 + 2*3**(4) / (6 + -7)') ++ -161.0 ++ """ ++ try: ++ return eval_(ast.parse(expr, mode="eval").body) ++ except (TypeError, SyntaxError, KeyError) as e: ++ raise ValueError( ++ f"{expr!r} is not a valid or supported arithmetic expression." ++ ) from e ++ ++ ++def eval_(node): ++ if isinstance(node, ast.Num): # <number> ++ return node.n ++ elif isinstance(node, ast.BinOp): # <left> <operator> <right> ++ return operators[type(node.op)](eval_(node.left), eval_(node.right)) ++ elif isinstance(node, ast.UnaryOp): # <operator> <operand> e.g., -1 ++ return operators[type(node.op)](eval_(node.operand)) ++ else: ++ raise TypeError(node) +diff --git a/joblib/parallel.py b/joblib/parallel.py +index 1c2fe18f7..6e7b1b19a 100644 +--- a/joblib/parallel.py ++++ b/joblib/parallel.py +@@ -27,6 +27,7 @@ + LokyBackend) + from .externals.cloudpickle import dumps, loads + from .externals import loky ++from ._utils import eval_expr + + # Make sure that those two classes are part of the public joblib.parallel API + # so that 3rd party backend implementers can import them from here. +@@ -1051,7 +1052,9 @@ def _batched_calls_reducer_callback(): + else: + self._original_iterator = iterator + if hasattr(pre_dispatch, 'endswith'): +- pre_dispatch = eval(pre_dispatch) ++ pre_dispatch = eval_expr( ++ pre_dispatch.replace("n_jobs", str(n_jobs)) ++ ) + self._pre_dispatch_amount = pre_dispatch = int(pre_dispatch) + + # The main thread will consume the first pre_dispatch items and +diff --git a/joblib/test/test_utils.py b/joblib/test/test_utils.py +new file mode 100644 +index 000000000..4999a212c +--- /dev/null ++++ b/joblib/test/test_utils.py +@@ -0,0 +1,27 @@ ++import pytest ++ ++from joblib._utils import eval_expr ++ ++ ++@pytest.mark.parametrize( ++ "expr", ++ ["exec('import os')", "print(1)", "import os", "1+1; import os", "1^1"], ++) ++def test_eval_expr_invalid(expr): ++ with pytest.raises( ++ ValueError, match="is not a valid or supported arithmetic" ++ ): ++ eval_expr(expr) ++ ++ ++@pytest.mark.parametrize( ++ "expr, result", ++ [ ++ ("2*6", 12), ++ ("2**6", 64), ++ ("1 + 2*3**(4) / (6 + -7)", -161.0), ++ ("(20 // 3) % 5", 1), ++ ], ++) ++def test_eval_expr_valid(expr, result): ++ assert eval_expr(expr) == result diff --minimal -Nru joblib-0.17.0/debian/patches/series joblib-0.17.0/debian/patches/series --- joblib-0.17.0/debian/patches/series 2021-05-05 12:10:28.000000000 +0200 +++ joblib-0.17.0/debian/patches/series 2023-03-27 15:25:08.000000000 +0200 @@ -2,3 +2,4 @@ deb_collect_ignore_setup deb_test_memory big-endian.patch +CVE-2022-21797.patch