New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ENH: Extend/enhance NEP-29 to cover security fix back-ports. #21713
Comments
Thanks for the detailed explanation of your use case @stuartarchibald.
We have no published policy, yet. I agree we should have one. One thing I'd like to point out is that we ( me) do maintain a policy somewhere, namely within the Tidelift platform. Tidelift sponsors NumPy with a monthly amount in the range of $1,000 - $3,000, and one of the key things they ask in return is that we:
It has been a while since we've had a valid report, much of the CVEs are bogus - which often means that there is no "fix" to backport. There often is discussion in an issue though. This in turn means that every vendor who wants to curate CVEs and release info on where those have been fixed has some manual validation & book-keeping to do. We could be better in advising on issues specifically about that. |
Also worth mentioning that at least once someone went through the trouble of disputing a CVE (see #18993 (comment)), and that that was at least successful in downgrading the severity and marking it as disputed.
It's possible that this hasn't happened in all cases, e.g. #18993 (comment) says that the fix was to remove deprecated code there - and backporting that too far would break our backwards compatibility policy (which was not warranted, since we anyway didn't agree with this being a real vulnerability). |
I try to backport CVE fixes, but that only goes for the latest released NumPy version. Occasionally I will go back one release further if it helps. One problem in the last year has been the rapid change in our build environment and NumPy itself, which makes backports and releasing older versions difficult. Everything bitrots quite rapidly these days. We will see if things settle down a bit over the next two years. |
We can try to make sure fixed versions get updated better, I am not sure whether they are or not. When it comes to disputing, I would really like someone with more security background to give a hand/explain it... One thing that maybe we could do, is to write a "policy" (not full blown). Not that I expect it helps much in practice, but many "CVE"s were put up for NumPy functions, if we note down somewhere that:
Then maybe we have an easier path of doing an actually successful dispute in the future... The question is what "data" is. Datatype strings for example, i.e. The reason is two-fold: First, less use means a higher probability of NumPy issues in structured dtypes. Second, structured dtypes open up a vast amount of complexity that can easily lead to DoS (e.g. by memory exhaustion) without any NumPy issue involved at all. Other DoS issues can occur of course (e.g. arrays filled with NaNs or weirdly shaped might just be surprisingly slow). |
True. Perhaps
Yes, that makes sense. Maybe we can find a volunteer for this. Or otherwise if at least we write up our own summary in the clearest/easiest to digest fashion, folks who are responsible for dealing with security issues in the stacks they deploy will be able to do something with that more easily.
I like that idea. It should help to some extent I think. It's also good to point out that exactly zero of the existing CVEs were disclosed to us in a responsible manner, and many suffer from a common mistake that the first bullet point of your policy already addresses. We can make things even clearer with an example like: # If you can call NumPy APIs, you are highly likely to be allowed to execute arbitrary Python code as a user
# NumPy does NOT have a denial-of-service vulnerability if instead of invoking it you can simply run:
while True:
do_something_expensive() The policy could also maintain a list of known CVEs perhaps. |
Many thanks for confirming.
Thanks for explaining this, I was aware that security reports pointed to Tidelift but didn't realise that there was a requirement/policy in place in relation to this.
I think a common place for holding information like this would certainly be helpful for e.g. Numba as it would be quick and easy to check what was patched and when. Perhaps a time frame and place for publishing what was fixed/backported could be defined in the potential NEP-29 extension? |
@charris Many thanks for doing the CVE backports (and backports in general)! Numba support for NumPy on average seems to be about one release behind NumPy RE: build environments, Numba has similar issues in that there's large combinations of platforms/OS etc and backports to previous releases often require very detailed capturing of the state of a system when the packages were built, it's a challenging problem. |
I opened gh-21927 to add some docs on "security stuff". Not what is requested here probably, but thought the crowd here could have a look. |
Proposed new feature or change:
This is about Numba's interaction with NumPy as part of its software dependency chain.
The effect of the above is that if a CVE is issued against some version of NumPy, downstream packages, like Numba:
and
are also then considered "bad" and their use is prohibited (or similar) by dependency chain validation applications.
Admittedly the specific situation with Numba is perhaps a bit unusual as a lot of packages depending on NumPy have no upper restriction on the NumPy version used. As a result, for these packages, there's typically an upgrade path available to the latest NumPy version which most likely contains the security fix.
However, Numba specifies compatibility against the versions of NumPy it has dedicated support for and that it specifically tests, essentially it has a bounded NumPy version support limit. This is because Numba takes replicating NumPy seriously and involved testing is a large part of that. It is also very rare for Numba to need a trivial "bump to the next NumPy version" style patch to accommodate a new NumPy release, updating to a new version almost always involves changing algorithms or updating APIs. Whilst not directly the same, it's possible to envisage that there are other projects/entities with software stacks that face similar issues where by e.g. every declared supported version of NumPy needs testing before acceptance to production, for example a HPC centre.
Practically, there have been two cases in the last six months where Numba has had to do out-of-typical-schedule changes/releases to support the newer versions of NumPy to accommodate the situation described above.
Case 1:
Numba 0.55.0 was shipped prior to RC testing being complete and with some minor known issues in the code base so as to offer an upgrade path to NumPy 1.21 (this was against CVE-2021-33430).
https://github.com/numba/numba/blob/65cbe1cab01cc186ce873a65d94b5096acbf07f3/CHANGE_LOG#L39-L55
Case 2:
A Numba 0.55.2 had to be created out of cycle to offer an upgrade path to NumPy 1.22 due to the CVEs noted in numba/numba#8025, it took a couple of weeks to create the support patch and then back-port and test it.
The question...
NumPy back-ports fixes for regressions and has the very useful NEP-29 in relation to support schedules. Does NumPy have or plan to have a similar back-port policy/schedule for security fixes that address CVEs?
The benefits of having such a policy that guaranteed extending security fixes back a couple of releases, or to a dedicated long term support release, would be that it would be a lot easier for downstream projects to ensure their deliberately constrained reliance on specific NumPy versions isn't inadvertently triggering software supply/dependency chain security problems.
Many thanks in advance for considering this!
CC @rgommers @seibert
The text was updated successfully, but these errors were encountered: