Bug 1122208 - (CVE-2019-6446) VUL-0: CVE-2019-6446: python-numpy: NumPy uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code
(CVE-2019-6446)
VUL-0: CVE-2019-6446: python-numpy: NumPy uses the pickle Python module unsa...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/223021/
CVSSv3:RedHat:CVE-2019-6446:8.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-16 15:19 UTC by Alexandros Toptsoglou
Modified: 2022-01-26 16:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-01-16 15:19:31 UTC
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python
module unsafely, which allows remote attackers to execute arbitrary code via a
crafted serialized object, as demonstrated by a numpy.load call.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6446
https://github.com/numpy/numpy/issues/12759
Comment 1 Alexandros Toptsoglou 2019-01-16 15:28:53 UTC
According to upstream the problem lies in the fact that np.load(allow_pickle=True) was added from version 1.10.0 and on. Currently, there is no fix or mitigation decided. Doing also an investigation I cross checked that version 1.10 and on contains the "allow_pickle=True". This is the commit at [1] 

Regarding our codestreams:
  SUSE:SLE-12-SP2:GA:Products:Update and SUSE:SLE-15:Update are affected 
  The rest are not affected. 

Information on how to reproduce the issue and also discussion on further planning on how to deal with this can be found at [2] 

[1] https://github.com/numpy/numpy/commit/a2bd3a7eabfe053d6d16a2130fdcad9e5211f6bb
[2] https://github.com/numpy/numpy/issues/12759
Comment 2 Matej Cepl 2019-01-17 14:46:25 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> According to upstream the problem lies in the fact that
> np.load(allow_pickle=True) was added from version 1.10.0 and on. Currently,
> there is no fix or mitigation decided. Doing also an investigation I cross
> checked that version 1.10 and on contains the "allow_pickle=True". This is
> the commit at [1] 

I am not sure I understand what you mean I should do here. Switch np.load to have allow_pickle=False per default?
Comment 3 Alexandros Toptsoglou 2019-01-31 15:23:54 UTC
This issue was discussed with Egbert Eich and Christian Goll from HPC and it was decided within the security team to change the allow_pickle from True to False. With this fix the behavior of numpy will change. This should be documented before releasing in the patchinfo.  

A proposed fix, which has not been officially accepted from upstream can be found at [1]. 

[1] https://github.com/ivanov/numpy/commit/decaca93a982f0758d104fe43c2439dc1334914e
Comment 13 Swamp Workflow Management 2019-02-12 17:09:05 UTC
SUSE-SU-2019:13951-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122208
CVE References: CVE-2019-6446
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    python-numpy-1.8.0-6.4.1
SUSE Linux Enterprise Server 11-SP4 (src):    python-numpy-1.8.0-6.4.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-numpy-1.8.0-6.4.1
Comment 16 Swamp Workflow Management 2019-02-16 14:08:58 UTC
SUSE-SU-2019:0418-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122208
CVE References: CVE-2019-6446
Sources used:
SUSE Linux Enterprise Module for HPC 15 (src):    python-numpy_1_14_0-gnu-hpc-1.14.0-4.5.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-numpy-1.14.0-4.5.1
Comment 17 Swamp Workflow Management 2019-02-18 14:11:05 UTC
SUSE-SU-2019:0419-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122208
CVE References: CVE-2019-6446
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-numpy-1.8.0-5.8.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python-numpy-1.8.0-5.8.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-numpy-1.8.0-5.8.1
SUSE Linux Enterprise Server 12-SP3 (src):    python-numpy-1.8.0-5.8.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python-numpy-1.8.0-5.8.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    python-numpy-1.8.0-5.8.1
Comment 19 Swamp Workflow Management 2019-02-20 11:13:28 UTC
SUSE-SU-2019:0448-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122208
CVE References: CVE-2019-6446
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    python-numpy_1_13_3-gnu-hpc-1.13.3-4.9.1
Comment 20 Swamp Workflow Management 2019-02-25 23:09:46 UTC
openSUSE-SU-2019:0245-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122208
CVE References: CVE-2019-6446
Sources used:
openSUSE Leap 15.0 (src):    python-numpy-1.14.0-lp150.3.3.1, python-numpy_1_14_0-gnu-hpc-1.14.0-lp150.3.3.1
Comment 21 Swamp Workflow Management 2019-03-12 23:10:57 UTC
SUSE-SU-2019:13977-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1122208
CVE References: CVE-2019-6446
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    python-numpy-1.3.0-1.3.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-numpy-1.3.0-1.3.3.1
Comment 23 Alexandros Toptsoglou 2020-04-29 11:47:45 UTC
Done