New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure string comparison (incomplete comparison) in _convert_from_str of descriptor.c #18993
Comments
I doubt it matters (its not like this is relevant for security or anything). But adding the |
Do you mind telling me the tool that was used to reproduce to get that error message? |
diff --git a/numpy/core/src/multiarray/descriptor.c b/numpy/core/src/multiarray/descriptor.c
index 58aa608c3..f6202c7ea 100644
--- a/numpy/core/src/multiarray/descriptor.c
+++ b/numpy/core/src/multiarray/descriptor.c
@@ -1729,7 +1729,7 @@ _convert_from_str(PyObject *obj, int align)
for (int i = 0; i < ndep_tps; ++i) {
char *dep_tp = dep_tps[i];
- if (strncmp(type, dep_tp, strlen(dep_tp)) == 0) {
+ if (strncmp(type, dep_tp, strlen(dep_tp)) + 1) {
/* Deprecated 2020-06-09, NumPy 1.20 */
if (DEPRECATE("Numeric-style type codes are "
"deprecated and will result in "
Do you know where I might of gone wrong and why I am seeing this error? |
That change is nonsense, you removed the |
You removed the |
Finishes the deprecation, and effectively closes numpygh-18993 * Insecure String Comparison * Finished Deprecations * Breaks numpy types * Removed elements in dep_tps * Delete Typecode Comment * Deleted for loop * Fixed 80 characters or more issue * Expired Release Note * Updated Release Note * Update numpy/core/numerictypes.py * Update numpy/core/tests/test_deprecations.py Co-authored-by: Sebastian Berg <sebastian@sipsolutions.net>
I realize the issue is closed, but would like to note that it has been assigned CVE-2021-34141 |
This code doesn't exist anymore anyway, but can someone explain what even the point of a CVE is here? At this point, the CVE feels just like useless alarming about completely harmless things.
|
Yes indeed. I've recently reviewed six CVEs on NumPy for the Tidelift database, and IIRC the only one that was not completely baseless I think was the one about |
Indeed, It seems pretty odd to make a CVE for such a problem with a CVSS scoring of 9.8, It would be interesting to see where this is coming from and to try and stop this trend. One more thing, If I understand correctly, this code along with user provided dtypes have been dropped only starting 1.22.0 |
It's very possible the NVD team have just made a mistake with it. All of these entries are still reviewed manually as far as I am aware, and they do make mistakes. You can email them suggesting a correction or further review and usually get a reply back in a couple of days. I was also wondering about these last few as they auto-fed into the PyPI Advisory Database and it looked as though the affected version ranges weren't quite right on the underlying NVD entries. |
It could very well be the case. I just send them an e-mail about it. |
Please do not ask them to update to newer versions without objecting to this being a critical CVE. That's just going to give a lot of people extra work, for a nonsense CVE (which also wasn't disclosed correctly by the way). |
Could you explain which part of the disclosure was not done correctly? |
@rgommers, do you think there is any chance they'd withdraw it completely (along with any of the others you'd consider nonsense)? Also, I don't know if there's any good way of finding where they're coming from, but I can do some asking around |
When you think you have discovered a vulnerability, you get in touch with the project (in private, there are best practices for this). Our way of doing this is clearly documented in the main README and a few other places: In this case, I don't think anyone got in touch. Someone just opened a CVE.
I don't know, I've seen the status change to "disputed" sometimes, but I've never seen the actual process directly with people who can assign CVE numbers.
I don't know of a way of finding out, but that may just be my lack of knowledge. If you could look into that, that'd be great. |
After yet another CVE came in, I looked closer and these are all issues by @Daybreak2019. So @Daybreak2019 are you requesting these, or someone who works with you? |
Any updates on the status of CVE-2021-34141 with regards to current issue? |
These CVEs are nonsense, there is no way this is exploitable (in this case even meaningful if it was exploited) by a user that is not already privileged. I do not think we have tried to get the CVE marked as disputed, but it sounds like the CVE process is too weird to expect more than it getting tagging on a "disputed" with a reason... |
Also, since the fix is to remove deprecated code, we can't backport that fix as is to So for people who must avoid CVEs due to policies in their organization, they should unfortunately upgrade to |
Looking at the history on it it looks like they briefly adjusted it to DISPUTED and then reverted it, but looks like they also adjusted the score down from Critical at least? |
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 24 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | urllib3 | 1.26.4 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+ +==============================================================================+ | REPORT | | checked 80 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | numpy | 1.18.3 | <1.21.0 | 43453 | +==============================================================================+ | Numpy 1.21.0 includes a fix for CVE-2021-33430: A Buffer Overflow | | vulnerability exists in the PyArray_NewFromDescr_int function of ctors.c | | when specifying arrays of large dimensions (over 32) from Python code, which | | could let a malicious user cause a Denial of Service. | | numpy/numpy@ae317fd | | 2e | +==============================================================================+ | numpy | 1.18.3 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.18.3 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.18.3 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ | urllib3 | 1.25.9 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+ +==============================================================================+ | REPORT | | checked 1 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2020.5.28 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ ```
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ ```
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ ```
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ ```
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | urllib3 | 1.25.9 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ ```
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ ```
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | urllib3 | 1.25.9 | <1.26.5 | 43975 | +==============================================================================+ | Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in | | urllib3 before 1.26.5. When provided with a URL containing many @ characters | | in the authority component, the authority regular expression exhibits | | catastrophic backtracking, causing a denial of service if a URL were passed | | as a parameter or redirected to via an HTTP redirect. | | GHSA-q2q7-5pp4-w6pg | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44487 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow | | before 9.0.0 allows evaluation of arbitrary expressions, such as ones that | | use the Python exec method. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict- | | builtins-available-to-imagemath-eval | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44485 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in | | Pillow before 9.0.0 improperly initializes ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44524 | +==============================================================================+ | Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to | | avoid Denial of Service attacks. | | python-pillow/Pillow#5921 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44525 | +==============================================================================+ | Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. | | python-pillow/Pillow#5912 | | https://github.com/python- | | pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 | +==============================================================================+ | pillow | 8.3.2 | <9.0.0 | 44486 | +==============================================================================+ | Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in | | Pillow before 9.0.0 has a buffer over-read during initialization of | | ImagePath.Path. | | https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed- | | imagepath-path-array-handling | +==============================================================================+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ ```
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pipenv | 2021.5.29 | >=2018.10.9,<=2021.11.23 | 44492 | +==============================================================================+ | Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version | | 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of | | requirements files allows an attacker to insert a specially crafted string | | inside a comment anywhere within a requirements.txt file, which will cause | | victims who use pipenv to install the requirements file to download | | dependencies from a package index server controlled by the attacker. By | | embedding malicious code in packages served from their malicious index | | server, the attacker can trigger arbitrary remote code execution (RCE) on | | the victims' systems. If an attacker is able to hide a malicious '--index- | | url' option in a requirements file that a victim installs with pipenv, the | | attacker can embed arbitrary malicious code in packages served from their | | malicious index server that will be executed on the victim's host during | | installation (remote code execution/RCE). When pip installs from a source | | distribution, any code in the setup.py is executed by the install process. | | GHSA-qc9x-gjcv-465w | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44716 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-41496: A buffer overflow in the | | array_from_pyobj function of fortranobject.c, which allows attackers to | | conduct a Denial of Service attacks by carefully constructing an array with | | negative values. | | numpy/numpy#19000 | +==============================================================================+ | numpy | 1.21.5 | <1.22.0 | 44717 | +==============================================================================+ | Numpy 1.22.0 includes a fix for CVE-2021-34141: An incomplete string | | comparison in the numpy.core component in NumPy before 1.22.0 allows | | attackers to trigger slightly incorrect copying by constructing specific | | string objects. NOTE: the vendor states that this reported code behavior is | | "completely harmless." | | numpy/numpy#18993 | +==============================================================================+ | numpy | 1.21.5 | >0 | 44715 | +==============================================================================+ | All versions of Numpy are affected by CVE-2021-41495: A null Pointer | | Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew | | function due to missing return-value validation, which allows attackers to | | conduct DoS attacks by repetitively creating sort arrays. | | numpy/numpy#19038 | +==============================================================================+ ```
Hi,can someone helps? Is it properly to update "strlen(dep_tp)" to "strlen(dep_tp)+1" in the line "if (strncmp(type, dep_tp, strlen(dep_tp)) == 0) {" within numpy-1.16.5 to fix cve-2021-34141? We do not want to upgrade for some reasons. Thanks. |
@Ren0216 I'd recommend re-applying the fix from gh-19539, and possible previous fixes to the same code. Or just leave it alone, since @seberg explained in the comment above that this CVE isn't valid. Trying to come up with a new fix isn't a good idea, it's much more likely to cause problems than solve them. |
Finishes the deprecation, and effectively closes numpygh-18993 * Insecure String Comparison * Finished Deprecations * Breaks numpy types * Removed elements in dep_tps * Delete Typecode Comment * Deleted for loop * Fixed 80 characters or more issue * Expired Release Note * Updated Release Note * Update numpy/core/numerictypes.py * Update numpy/core/tests/test_deprecations.py Co-authored-by: Sebastian Berg <sebastian@sipsolutions.net>
From what I can see the original code was actually correct: it's checking whether
So the proposals to add |
I'm a tad confused by the lack of support for fixing this CVE? You've kinda left it hanging despite saying that |
@chtompki could you point to which part of the discussion above is confusing? I think the position of the NumPy team is quite clear. The process for disputing bogus CVEs is not transparent, we do not know why they have not withdrawn it. |
Curious, I've always found the CVE process workable when I've written them. Who is your CVE Numbering Authority (CNA)? Is it the 501(c)(3) NumFOCUS or did you guys go through the request directly from MITRE? If you went directly through MITRE, then you may have to file an appeal: https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_9_appeals_process Also, let me know if there's anything I can do to help. Would love to, if possible. |
Well, nobody here has done this professional or even more than once. And maybe a point is that you are going through some CNA where the process surprisingly works easier? We tried to tell MITR that it this is bogus, explaining why. They just asked for evidence without guidance how that would look like. So it is disputed, but thats it until someone explains how to "proof" that it is not a CVE. |
Hm....I would ask who applied for the CVE Number? Can we not go back to them and ask them to un-apply? If not then we need to appeal to MITRE through their process. I'd be happy to help with that if possible |
Probably @Daybreak2019 who opened this issue. But they seem like a known bad actor, lots of bogus CVEs and no response after that anymore (see #18993 (comment) above). This is the problem with the whole security circus - no accountability from anyone (neither the CVE submitter nor MITRE), and we get left with this mess. |
Reproducing code example:
Snippet:
Error message:
When we run our analysis tool on NumPy, an incomplete comparison problem was reported, see details below:
File: numpy/core/src/multiarray/descriptor.c
Function: _convert_from_str (line 1727 : 1740)
Optional call-path: PyArray_DescrAlignConverter -> _convert_from_any -> _convert_from_str
Details in description
NumPy/Python version information:
the main branch of NumPy
The text was updated successfully, but these errors were encountered: