Bug 1193911 - (CVE-2021-41495) VUL-0: CVE-2021-41495: python-numpy,python2-numpy: Null pointer dereference due to missing return-value validation in PyArray_DescrNew
(CVE-2021-41495)
VUL-0: CVE-2021-41495: python-numpy,python2-numpy: Null pointer dereference d...
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Matej Cepl
Security Team bot
https://smash.suse.de/issue/317867/
CVSSv3.1:SUSE:CVE-2021-41495:5.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-20 08:53 UTC by Carlos López
Modified: 2022-09-12 16:21 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
mcepl: needinfo? (skliu)


Attachments
mentioned content of pastebin (14.55 KB, text/plain)
2022-08-01 11:09 UTC, Matej Cepl
Details
result of the src.rpm from https://build.suse.de/package/binaries/home:mcepl:branches:OBS_Maintained:python-numpy/python-numpy.SUSE_SLE-15_Update:standard/SLE_15_SP3 (34.95 KB, text/plain)
2022-08-02 02:10 UTC, Liu Shukui
Details
python-numpy result after installing python3-numpy-debuginfo (35.04 KB, text/plain)
2022-08-17 02:36 UTC, Liu Shukui
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2021-12-20 08:53:04 UTC
CVE-2021-41495

Null Pointer Dereference vulnerability exists in numpy.sort in NumPy &lt and
1.19 in the PyArray_DescrNew function due to missing return-value validation,
which allows attackers to conduct DoS attacks by repetitively creating and sort
arrays.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41495
https://github.com/numpy/numpy/issues/19038
Comment 1 Carlos López 2021-12-20 08:53:30 UTC
Affected codestreams:
 - SUSE:SLE-11-SP1:Update
 - SUSE:SLE-11-SP3:Update
 - SUSE:SLE-12:Update
 - SUSE:SLE-12-SP2:GA:Products:Update
 - SUSE:SLE-15:Update

Also affected on openSUSE:
 - openSUSE:Backports:SLE-15-SP2
 - openSUSE:Backports:SLE-15-SP3
 - openSUSE:Backports:SLE-15-SP4
 - openSUSE:Factory

There is no upstream patch for this issue yet.
Comment 2 Carlos López 2021-12-20 10:34:25 UTC
Missed python2-numpy during my initial assessment.

As with bnc#1193907, the 15-SP2 codestreams are close to EOL, and since there is no upstream patch yet, they will probably not get an update, but I'm listing them for completeness.

Affected codestreams:
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP2:Update

Also affected on openSUSE:
 - openSUSE:Backports:SLE-15-SP2
Comment 3 Matej Cepl 2022-01-16 23:16:34 UTC
See the upstream ticket. Status (and severity) of this CVE is disputed, and there is no fix still available.
Comment 4 Carlos López 2022-02-03 14:40:43 UTC
This got fixed via the following PR:
https://github.com/numpy/numpy/pull/20960
Comment 7 Gianluca Gabrielli 2022-03-21 10:23:49 UTC
Hi Matej,

several requested submissions from comment 1 are still missing.
Comment 11 Swamp Workflow Management 2022-03-31 13:18:49 UTC
SUSE-SU-2022:1064-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1193907,1193911,1193913
CVE References: CVE-2021-33430,CVE-2021-41495,CVE-2021-41496
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python2-numpy-1.16.5-150200.3.5.1
SUSE Linux Enterprise Module for HPC 15-SP3 (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150200.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-03-31 13:22:43 UTC
openSUSE-SU-2022:1064-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1193907,1193911,1193913
CVE References: CVE-2021-33430,CVE-2021-41495,CVE-2021-41496
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150200.3.5.1, python2-numpy-1.16.5-150200.3.5.1
Comment 13 Liu Shukui 2022-04-01 12:39:02 UTC
Is there any progress?
Comment 15 Matej Cepl 2022-06-24 14:12:19 UTC
(In reply to Carlos López from comment #2)
> Missed python2-numpy during my initial assessment.
> 
> Affected codestreams:
>  - SUSE:SLE-15:Update

Are you certain about this one? According to is_maintained there doesn't seem to be any Product using it.
Comment 21 Matej Cepl 2022-06-27 11:24:30 UTC
OK, I capitulate in face of SUSE:SLE-11-SP1:Update: numpy 1.3.0 is just too archaeological code to apply the patch to. There is almost nothing to apply the patch onto, suggesting WONTFIX for that branch.

Rest has been submitted.
Comment 23 Robert Frohl 2022-07-05 14:48:45 UTC
(In reply to Matej Cepl from comment #21)
> OK, I capitulate in face of SUSE:SLE-11-SP1:Update: numpy 1.3.0 is just too
> archaeological code to apply the patch to. There is almost nothing to apply
> the patch onto, suggesting WONTFIX for that branch.
> 
> Rest has been submitted.

Any news on the segfault in sle15sp3 for the SUSE:SLE-15:Update submission ?
Comment 24 Matej Cepl 2022-07-11 09:00:02 UTC
(In reply to Robert Frohl from comment #23)
> Any news on the segfault in sle15sp3 for the SUSE:SLE-15:Update submission ?

Heh? Could you please point me to some logs. https://build.suse.de/package/show/SUSE:Maintenance:23344/python-numpy.SUSE_SLE-15_Update is not very helpful.
Comment 25 Swamp Workflow Management 2022-07-19 19:16:08 UTC
SUSE-SU-2022:2441-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1193907,1193911,1193913
CVE References: CVE-2021-33430,CVE-2021-41495,CVE-2021-41496
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    python2-numpy-1.16.5-150000.1.9.1
SUSE Linux Enterprise Server for SAP 15 (src):    python2-numpy-1.16.5-150000.1.9.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    python2-numpy-1.16.5-150000.1.9.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    python2-numpy-1.16.5-150000.1.9.1
SUSE Linux Enterprise Server 15-LTSS (src):    python2-numpy-1.16.5-150000.1.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150000.1.9.1, python2-numpy-1.16.5-150000.1.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150000.1.9.1, python2-numpy-1.16.5-150000.1.9.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150000.1.9.1, python2-numpy-1.16.5-150000.1.9.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150000.1.9.1, python2-numpy-1.16.5-150000.1.9.1
SUSE Enterprise Storage 6 (src):    python2-numpy-1.16.5-150000.1.9.1
SUSE CaaS Platform 4.0 (src):    python2-numpy-1.16.5-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Matej Cepl 2022-07-29 12:04:51 UTC
Concerning comment 8:

If you can collect backtrace from gdb how the Python crashed (I suspect some extension module) then I can look at it, but as far as it stands right now, I cannot reproduce it. Please, provide, standard “asking the smart question” material: what did you do, what do you expect, what did you observe, backtraces, complete logs, complete description of the environment, etc. This is certainly enough and if I won't get those data soon, I am closing as NORESPONSE (or I would say INSUFFICIENT_DATA).
Comment 28 Matej Cepl 2022-07-29 12:05:17 UTC
Sorry, not closing yet.
Comment 29 Liu Shukui 2022-07-29 20:13:01 UTC
(In reply to Matej Cepl from comment #27)
> Concerning comment 8:
> 
> If you can collect backtrace from gdb how the Python crashed (I suspect some
> extension module) then I can look at it, but as far as it stands right now,
> I cannot reproduce it. Please, provide, standard “asking the smart question”
> material: what did you do, what do you expect, what did you observe,
> backtraces, complete logs, complete description of the environment, etc.
> This is certainly enough and if I won't get those data soon, I am closing as
> NORESPONSE (or I would say INSUFFICIENT_DATA).

Hi, I don't know how to collect the related info. This is the newest segmentation fault after I update the system using "zypper up".

https://paste.opensuse.org/30359623
Comment 30 Matej Cepl 2022-07-29 22:39:25 UTC
(In reply to Liu Shukui from comment #29)
> Hi, I don't know how to collect the related info. This is the newest
> segmentation fault after I update the system using "zypper up".
> 
> https://paste.opensuse.org/30359623

Unfortunately the only information I get from this is

Segmentation fault (core dumped)

Which is not very useful.

Take a look at https://duckduckgo.com/?q=debugging+python+gdb+binary+backtrace and try some resources linked there.
Comment 32 Liu Shukui 2022-07-30 03:22:34 UTC
(In reply to Matej Cepl from comment #30)
> (In reply to Liu Shukui from comment #29)
> > Hi, I don't know how to collect the related info. This is the newest
> > segmentation fault after I update the system using "zypper up".
> > 
> > https://paste.opensuse.org/30359623
> 
> Unfortunately the only information I get from this is
> 
> Segmentation fault (core dumped)
> 
> Which is not very useful.
> 
> Take a look at
> https://duckduckgo.com/?q=debugging+python+gdb+binary+backtrace and try some
> resources linked there.

Unfortunately, I didn't find the debuginfo package from http://download.suse.de/download/ibs/SUSE/Updates/SLE-DEBUGINFO/.

Is this useful? https://paste.opensuse.org/13541021

Or we can use the tools tmate to debug it together.
Comment 33 Matej Cepl 2022-08-01 06:54:47 UTC
(In reply to Liu Shukui from comment #32)
> Unfortunately, I didn't find the debuginfo package from
> http://download.suse.de/download/ibs/SUSE/Updates/SLE-DEBUGINFO/.
> 
> Is this useful? https://paste.opensuse.org/13541021

Much better, if when you get to that gdb prompt you press

t a a bt<CR>

(that’s abbreviation for ‘thread apply all backtrace’) and give me whole (lengthy) output of that command, it would be absolutely awesome.
Comment 34 Liu Shukui 2022-08-01 07:47:13 UTC
(In reply to Matej Cepl from comment #33)
> (In reply to Liu Shukui from comment #32)
> > Unfortunately, I didn't find the debuginfo package from
> > http://download.suse.de/download/ibs/SUSE/Updates/SLE-DEBUGINFO/.
> > 
> > Is this useful? https://paste.opensuse.org/13541021
> 
> Much better, if when you get to that gdb prompt you press
> 
> t a a bt<CR>
> 
> (that’s abbreviation for ‘thread apply all backtrace’) and give me whole
> (lengthy) output of that command, it would be absolutely awesome.

Here it is.
https://paste.opensuse.org/11748072
Comment 35 Matej Cepl 2022-08-01 11:09:11 UTC
Created attachment 860518 [details]
mentioned content of pastebin

(In reply to Liu Shukui from comment #34)
> Here it is.
> https://paste.opensuse.org/11748072

It is always better to attach all information to Bugzilla itself. Pastebins come and go …
Comment 36 Matej Cepl 2022-08-01 18:10:44 UTC
Could you try once more with packages from https://build.suse.de/package/show/home:mcepl:branches:OBS_Maintained:python-numpy/python-numpy.SUSE_SLE-15_Update , please?
Comment 39 Swamp Workflow Management 2022-08-03 16:21:29 UTC
SUSE-SU-2022:2645-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193911
CVE References: CVE-2021-41495
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python-numpy-1.8.0-5.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-numpy-1.8.0-5.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 40 Swamp Workflow Management 2022-08-03 16:25:04 UTC
SUSE-SU-2022:2646-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193911
CVE References: CVE-2021-41495
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-numpy-1.17.3-150400.23.3.1, python-numpy_1_17_3-gnu-hpc-1.17.3-150400.23.3.1
SUSE Linux Enterprise Module for HPC 15-SP4 (src):    python-numpy_1_17_3-gnu-hpc-1.17.3-150400.23.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    python-numpy-1.17.3-150400.23.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Swamp Workflow Management 2022-08-12 13:16:25 UTC
SUSE-SU-2022:2793-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193911
CVE References: CVE-2021-41495
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    python-numpy_1_13_3-gnu-hpc-1.13.3-4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 Matej Cepl 2022-08-16 07:07:26 UTC
(In reply to Liu Shukui from comment #38)
> Created attachment 860534 [details]
> result of the src.rpm from
> https://build.suse.de/package/binaries/home:mcepl:branches:OBS_Maintained:
> python-numpy/python-numpy.SUSE_SLE-15_Update:standard/SLE_15_SP3

Almost there, unfortunately still missing debugging information, and with this I haven’t found anything wrong with the code. Could you please install also python3-debug* packages first into the testing environment and provide the backtrace after that? Thank you very much.
Comment 43 Liu Shukui 2022-08-16 07:43:04 UTC
(In reply to Matej Cepl from comment #42)
> (In reply to Liu Shukui from comment #38)
> > Created attachment 860534 [details]
> > result of the src.rpm from
> > https://build.suse.de/package/binaries/home:mcepl:branches:OBS_Maintained:
> > python-numpy/python-numpy.SUSE_SLE-15_Update:standard/SLE_15_SP3
> 
> Almost there, unfortunately still missing debugging information, and with
> this I haven’t found anything wrong with the code. Could you please install
> also python3-debug* packages first into the testing environment and provide
> the backtrace after that? Thank you very much.

Sorr, I don't know where I can find the python3-debug* packages.
Comment 44 Robert Frohl 2022-08-16 11:15:32 UTC
(In reply to Liu Shukui from comment #43)
> (In reply to Matej Cepl from comment #42)
> > (In reply to Liu Shukui from comment #38)
> > > Created attachment 860534 [details]
> > > result of the src.rpm from
> > > https://build.suse.de/package/binaries/home:mcepl:branches:OBS_Maintained:
> > > python-numpy/python-numpy.SUSE_SLE-15_Update:standard/SLE_15_SP3
> > 
> > Almost there, unfortunately still missing debugging information, and with
> > this I haven’t found anything wrong with the code. Could you please install
> > also python3-debug* packages first into the testing environment and provide
> > the backtrace after that? Thank you very much.
> 
> Sorr, I don't know where I can find the python3-debug* packages.

you should be able to download them from https://build.suse.de/package/binaries/home:mcepl:branches:OBS_Maintained:python-numpy/python-numpy.SUSE_SLE-15_Update:standard/SLE_15_SP3 directly

for example: look for 'python3-numpy-debuginfo-1.17.3-150200.14.1.x86_64.rpm' and install that manually.
Comment 45 Liu Shukui 2022-08-17 02:36:30 UTC
Created attachment 860821 [details]
python-numpy result after installing python3-numpy-debuginfo

I don't see many differences with debuginfo package installed.
Comment 46 Liu Shukui 2022-08-17 02:40:21 UTC
(In reply to Robert Frohl from comment #44)
> (In reply to Liu Shukui from comment #43)
> > (In reply to Matej Cepl from comment #42)
> > > (In reply to Liu Shukui from comment #38)
> > > > Created attachment 860534 [details]
> > > > result of the src.rpm from
> > > > https://build.suse.de/package/binaries/home:mcepl:branches:OBS_Maintained:
> > > > python-numpy/python-numpy.SUSE_SLE-15_Update:standard/SLE_15_SP3
> > > 
> > > Almost there, unfortunately still missing debugging information, and with
> > > this I haven’t found anything wrong with the code. Could you please install
> > > also python3-debug* packages first into the testing environment and provide
> > > the backtrace after that? Thank you very much.
> > 
> > Sorr, I don't know where I can find the python3-debug* packages.
> 
> you should be able to download them from
> https://build.suse.de/package/binaries/home:mcepl:branches:OBS_Maintained:
> python-numpy/python-numpy.SUSE_SLE-15_Update:standard/SLE_15_SP3 directly
> 
> for example: look for
> 'python3-numpy-debuginfo-1.17.3-150200.14.1.x86_64.rpm' and install that
> manually.

Do we need to install python3-base-debuginfo-3.6.15-150300.10.27.1.x86_64 ? 
But I don't where to find it.
Comment 47 Matej Cepl 2022-08-20 22:25:14 UTC
(In reply to Liu Shukui from comment #46)
> Do we need to install python3-base-debuginfo-3.6.15-150300.10.27.1.x86_64 ? 
> But I don't where to find it.

The package is called python3-debuginfo (debuginfo packages are called according to the source package rather than by the binary packages).
Comment 48 Liu Shukui 2022-08-21 00:04:26 UTC
(In reply to Matej Cepl from comment #47)
> (In reply to Liu Shukui from comment #46)
> > Do we need to install python3-base-debuginfo-3.6.15-150300.10.27.1.x86_64 ? 
> > But I don't where to find it.
> 
> The package is called python3-debuginfo (debuginfo packages are called
> according to the source package rather than by the binary packages).


Got it, thanks for clarification. 
The problem is I don't know where to find python3-debuginfo.
Comment 49 Hu 2022-09-12 10:47:31 UTC
Usually you can find the debuginfo package by enabling the corresponding debuginfo repository.

For example:
1. Find out repository of python3 with: zypper info python3
--> you will see something like:
[...]
Repository     : SLE-Module-Basesystem15-SP3-Updates for sle-15-x86_64
[...]

2. Find the debuginfo repository to that repository: zypper lr 
--> there should be something like:  SLE-Module-Basesystem15-SP3-Debuginfo-Updates for sle-15-x86_64 
(so basically the repository + "-Debuginfo-*") 

3. Enable the debuginfo repository: zypper modifyrepo --enable <name of the debuginfo repo>
4. Then, search for the debuginfo package and you should see it: zypper se python3-debuginfo
5. Then, you should be able to install the package with: zypper in python3-debuginfo


See also this stackoverflow question: https://unix.stackexchange.com/questions/136341/where-can-i-get-the-kernel-default-debuginfo-package-for-sles-11

If this does not work, please do not hesitate to reach out again :)
Comment 50 Swamp Workflow Management 2022-09-12 16:21:43 UTC
SUSE-SU-2022:1064-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1193907,1193911,1193913
CVE References: CVE-2021-33430,CVE-2021-41495,CVE-2021-41496
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150200.3.5.1
SUSE Manager Server 4.1 (src):    python2-numpy-1.16.5-150200.3.5.1
SUSE Manager Retail Branch Server 4.1 (src):    python2-numpy-1.16.5-150200.3.5.1
SUSE Manager Proxy 4.1 (src):    python2-numpy-1.16.5-150200.3.5.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    python2-numpy-1.16.5-150200.3.5.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    python2-numpy-1.16.5-150200.3.5.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150200.3.5.1, python2-numpy-1.16.5-150200.3.5.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    python-numpy_1_16_5-gnu-hpc-1.16.5-150200.3.5.1, python2-numpy-1.16.5-150200.3.5.1
SUSE Enterprise Storage 7 (src):    python2-numpy-1.16.5-150200.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.