!28 [sync] PR-26: Fix CVE-2021-34141

Merge pull request !28 from openeuler-sync-bot/sync-pr26-openEuler-20.03-LTS-SP1-to-openEuler-20.03-LTS-SP3
2022-01-29 08:35:44 +00:00 · 2022-01-29 08:35:44 +00:00 · 2f5b069bba
commit 2f5b069bba
parent 53b1848fa3 ae55418594
2 changed files with 124 additions and 1 deletions
--- a/backport-CVE-2021-34141.patch
+++ b/backport-CVE-2021-34141.patch
@ -0,0 +1,119 @@
+From eeef9d4646103c3b1afd3085f1393f2b3f9575b2 Mon Sep 17 00:00:00 2001
+From: NectDz <54990613+NectDz@users.noreply.github.com>
+Date: Tue, 10 Aug 2021 18:00:35 -0500
+Subject: [PATCH] DEP: Remove deprecated numeric style dtype strings (#19539)
+
+Finishes the deprecation, and effectively closes gh-18993
+
+* Insecure String Comparison
+
+* Finished Deprecations
+
+* Breaks numpy types
+
+* Removed elements in dep_tps
+
+* Delete Typecode Comment
+
+* Deleted for loop
+
+* Fixed 80 characters or more issue
+
+* Expired Release Note
+
+* Updated Release Note
+
+* Update numpy/core/numerictypes.py
+
+* Update numpy/core/tests/test_deprecations.py
+
+Co-authored-by: Sebastian Berg <sebastian@sipsolutions.net>
+---
+ doc/release/upcoming_changes/19539.expired.rst |  2 ++
+ numpy/core/src/multiarray/descriptor.c | 25 -------------------------
+ numpy/core/tests/test_deprecations.py  | 23 -----------------------
+ 3 files changed, 2 insertions(+), 48 deletions(-)
+ create mode 100644 doc/release/upcoming_changes/19539.expired.rst
+
+diff --git a/doc/release/upcoming_changes/19539.expired.rst b/doc/release/upcoming_changes/19539.expired.rst
+new file mode 100644
+index 0000000..6e94f17
+--- /dev/null
+++ b/doc/release/upcoming_changes/19539.expired.rst
+@@ -0,0 +1,2 @@
+* Using the strings ``"Bytes0"``, ``"Datetime64"``, ``"Str0"``, ``"Uint32"``,
+  and ``"Uint64"`` as a dtype will now raise a ``TypeError``.
+\ No newline at end of file
+diff --git a/numpy/core/src/multiarray/descriptor.c b/numpy/core/src/multiarray/descriptor.c
+index 50964da..90453e3 100644
+--- a/numpy/core/src/multiarray/descriptor.c
+++ b/numpy/core/src/multiarray/descriptor.c
+@@ -1640,31 +1640,6 @@ finish:
+             }
+ #endif
+             if (item) {
+-                /* Check for a deprecated Numeric-style typecode */
+-                if (PyBytes_Check(obj)) {
+-                    char *type = NULL;
+-                    Py_ssize_t len = 0;
+-                    char *dep_tps[] = {"Bool", "Complex", "Float", "Int",
+-                                       "Object0", "String0", "Timedelta64",
+-                                       "Unicode0", "UInt", "Void0"};
+-                    int ndep_tps = sizeof(dep_tps) / sizeof(dep_tps[0]);
+-                    int i;
+-
+-                    if (PyBytes_AsStringAndSize(obj, &type, &len) < 0) {
+-                        goto error;
+-                    }
+-                    for (i = 0; i < ndep_tps; ++i) {
+-                        char *dep_tp = dep_tps[i];
+-
+-                        if (strncmp(type, dep_tp, strlen(dep_tp)) == 0) {
+-                            if (DEPRECATE("Numeric-style type codes are "
+-                                          "deprecated and will result in "
+-                                          "an error in the future.") < 0) {
+-                                goto fail;
+-                            }
+-                        }
+-                    }
+-                }
+                 return PyArray_DescrConverter(item, at);
+             }
+         }
+diff --git a/numpy/core/tests/test_deprecations.py b/numpy/core/tests/test_deprecations.py
+index 42e632e..44a3ed7 100644
+--- a/numpy/core/tests/test_deprecations.py
+++ b/numpy/core/tests/test_deprecations.py
+@@ -371,29 +371,6 @@ class TestBinaryReprInsufficientWidthParameterForRepresentation(_DeprecationTest
+         self.assert_deprecated(np.binary_repr, args=args, kwargs=kwargs)
+ 
+ 
+-class TestNumericStyleTypecodes(_DeprecationTestCase):
+-    """
+-    Deprecate the old numeric-style dtypes, which are especially
+-    confusing for complex types, e.g. Complex32 -> complex64. When the
+-    deprecation cycle is complete, the check for the strings should be
+-    removed from PyArray_DescrConverter in descriptor.c, and the
+-    deprecated keys should not be added as capitalized aliases in
+-    _add_aliases in numerictypes.py.
+-    """
+-    def test_all_dtypes(self):
+-        deprecated_types = [
+-            'Bool', 'Complex32', 'Complex64', 'Float16', 'Float32', 'Float64',
+-            'Int8', 'Int16', 'Int32', 'Int64', 'Object0', 'Timedelta64',
+-            'UInt8', 'UInt16', 'UInt32', 'UInt64', 'Void0'
+-            ]
+-        if sys.version_info[0] < 3:
+-            deprecated_types.extend(['Unicode0', 'String0'])
+-
+-        for dt in deprecated_types:
+-            self.assert_deprecated(np.dtype, exceptions=(TypeError,),
+-                                   args=(dt,))
+-
+-
+ class TestTestDeprecated(object):
+     def test_assert_deprecated(self):
+         test_case_instance = _DeprecationTestCase()
+-- 
+1.8.3.1
+
--- a/numpy.spec
+++ b/numpy.spec
@ -2,7 +2,7 @@

 Name:           numpy
 Version:        1.16.5
-Release:        4
+Release:        5
 Epoch:          1
 Summary:        A fast multidimensional array facility for Python

@ -14,6 +14,7 @@ BuildRequires:  openblas-devel
 BuildRequires:  lapack-devel gcc-gfortran Cython 

 Patch0:         backport-CVE-2021-41496.patch
+Patch1:         backport-CVE-2021-34141.patch

 %description
 NumPy is the fundamental package for scientific computing with Python. It contains among other things:
@ -179,6 +180,9 @@ popd &> /dev/null
 %{python3_sitearch}/%{name}/f2py

 %changelog
+* Thu Jan 27 2022 renhongxun<renhongxun@h-partners.com> - 1.16.5-5
+- fix CVE-2021-34141
+
 * Tue Jan 04 2022 yuanxin<yuanxin24@huawei.com> - 1.16.5-4
 - fix CVE-2021-41496