Bug#1052454: marked as done (numexpr: unnecessarily disables security check)

Sat, 23 Sep 2023 02:51:19 -0700 

Your message dated Sat, 23 Sep 2023 09:49:42 +0000
with message-id <e1qjzgg-00bhqy...@fasolo.debian.org>
and subject line Bug#1052454: fixed in numexpr 2.8.6-4
has caused the Debian Bug report #1052454,
regarding numexpr: unnecessarily disables security check
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1052454: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052454
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: python3-numexpr
Version: 2.8.6-2
Severity: serious
Justification: block testing migration of a known security hole
Tags: patch
numexpr 2.8.5 introduced a security check, which was initially buggy enough to break pyfai and pandas (#1049326). Fixes for this were sent upstream, but only some of them made it into numexpr 2.8.6.
Hence, Debian 2.8.6-2 disabled this security check. However, this is not actually necessary to fix these bugs, and reopens a code execution security hole if numexpr is used to parse untrusted input.
This is fixed by the fix1049326v2 branch in Salsa. This fix has also been sent upstream as https://github.com/pydata/numexpr/pull/452.
(Sorry that this didn't get to you earlier - I tried to post to #1049326, and didn't notice the error message that posting to archived bugs is not allowed.)
--- End Message ---
--- Begin Message --- 
Source: numexpr
Source-Version: 2.8.6-4
Done: Antonio Valentino <antonio.valent...@tiscali.it>

We believe that the bug you reported is fixed in the latest version of
numexpr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1052...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Valentino <antonio.valent...@tiscali.it> (supplier of updated numexpr 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Sep 2023 09:16:47 +0000
Source: numexpr
Architecture: source
Version: 2.8.6-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers 
<debian-science-maintain...@lists.alioth.debian.org>
Changed-By: Antonio Valentino <antonio.valent...@tiscali.it>
Closes: 1052454
Changes:
 numexpr (2.8.6-4) unstable; urgency=medium
 .
   * debian/patches:
     - Drop 0001-Set-sanotize-to-False-by-default.patch.
       Closes: #1052454.
     - New 0001-Fix-scientific-notation.patch.
     - New 0002-Fix-sanitization.patch.
Checksums-Sha1:
 3565173a4e1aca4a9fd11b82b9b9d4ce2e4d9a1a 2248 numexpr_2.8.6-4.dsc
 62a4b71aceeb5b2ac147c8788011f5b6c686124e 8052 numexpr_2.8.6-4.debian.tar.xz
 f5be49d51a459e2e88d3b97b3f3f91a71f6447a9 7546 numexpr_2.8.6-4_amd64.buildinfo
Checksums-Sha256:
 b3b43c1f32f720cc30365c8d6c2b1f441400c36d3516d1807d280ccd9623b49b 2248 
numexpr_2.8.6-4.dsc
 93c18dad09c9b3a73db8c8cec224118660f9dbed8b4d5043e94ce530424eb75b 8052 
numexpr_2.8.6-4.debian.tar.xz
 04c34fd88d1138cf826c465cccce18a59f77425017aa19d352195eec234b2cf4 7546 
numexpr_2.8.6-4_amd64.buildinfo
Files:
 69363124f62ca3198e98bfded8696198 2248 python optional numexpr_2.8.6-4.dsc
 339f40302a755033b33e0c239f41970b 8052 python optional 
numexpr_2.8.6-4.debian.tar.xz
 63fe79c204d7867e7ffd5f927bfc8d3d 7546 python optional 
numexpr_2.8.6-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJRBAEBCgA7FiEEO3DyCaX/1okDxHLF6/SKslePmBIFAmUOr9kdHGFudG9uaW8u
dmFsZW50aW5vQHRpc2NhbGkuaXQACgkQ6/SKslePmBKNKA/+IcDVdwFnSsIGo5Sd
PK7lZFCdJ9yUd3ESGcWpuRJWQDAAwB8Y7+k63Vzksjff/9MGSIeXeQoAdKco4Upq
GK+QzJj0Q9oaqxvo9r4QKTD0fyv0GyQccSVydPTjz+nqUJfyGWtI4jPAHSB4hJC8
ndPOpGqVBxQ0TMLI8jJ+S8byKBKw8ODkHlQEkKpjnt85b3gPwxSpy5v1vqlNWN3/
oZIg4cek7ijGDV/kKUlrEEG4sDZKHVQ4kb2inCm1ZuG9WXB7LQQbKGJBCgo3DHy9
DFBL0obZwrE37clukyQ1yxG0RKaQSy0f1C10kdm9L0mRkH6YOc0+63oDR5taoc6P
VuizrWiTxQZoWZ839MHIv6o0N2C27aF3v5q1SYk55LkEz17jmVPiqAMJpZD+r7+i
3jD7dR1p+eDrbn44TXcXhlRPhHvM67aScodC/744Bol3jwSuJ5vqmQsTIg6PbdBt
IlPoGTz0dXOdtL2k9wlS1FDPwl1HpGO3Mb/aMZ1zIa7sRvyw75Jkzs0CELHVoRo0
eMdmsK0apQyfqSsMfWbuh1bNoFMQZL/EXgtB0DKgo1wJ9zF62otCuPEFaOqZzo/6
xqrIDheP+GuRkTdtym9o4T8H40IoK3JvQDlRa0eGgHxUI2/+7/nQm9GtRu07nfzU
GFipvETYFfiJpC9m76JGtC1IBEw=
=gOyb
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to