!47 手工回合修复CVE-2021-34141

From: @huangduirong Reviewed-by: @licihua Signed-off-by: @licihua
2022-05-31 06:48:24 +00:00 · 2022-05-31 06:48:24 +00:00 · b8111500e2
commit b8111500e2
parent 5ec7858956 63f131a210
2 changed files with 154 additions and 3 deletions
--- a/backport-CVE-2021-34141.patch
+++ b/backport-CVE-2021-34141.patch
@ -0,0 +1,144 @@
 From eeef9d4646103c3b1afd3085f1393f2b3f9575b2 Mon Sep 17 00:00:00 2001
 From: NectDz <54990613+NectDz@users.noreply.github.com>
 Date: Tue, 10 Aug 2021 18:00:35 -0500
 Subject: [PATCH] DEP: Remove deprecated numeric style dtype strings (#19539)
 Finishes the deprecation, and effectively closes gh-18993
 * Insecure String Comparison
 * Finished Deprecations
 * Breaks numpy types
 * Removed elements in dep_tps
 * Delete Typecode Comment
 * Deleted for loop
 * Fixed 80 characters or more issue
 * Expired Release Note
 * Updated Release Note
 * Update numpy/core/numerictypes.py
 * Update numpy/core/tests/test_deprecations.py
 Co-authored-by: Sebastian Berg <sebastian@sipsolutions.net>
 ---
 doc/release/upcoming_changes/19539.expired.rst |  2 ++
 numpy/core/_type_aliases.py                    |  9 ---------
 numpy/core/src/multiarray/descriptor.c         | 16 ----------------
 numpy/core/tests/test_deprecations.py          | 15 ---------------
 numpy/core/tests/test_dtype.py                 |  9 ++++++---
 5 files changed, 8 insertions(+), 43 deletions(-)
 create mode 100644 doc/release/upcoming_changes/19539.expired.rst
 diff --git a/doc/release/upcoming_changes/19539.expired.rst b/doc/release/upcoming_changes/19539.expired.rst
 new file mode 100644
 index 0000000..6e94f17
 --- /dev/null
 +++ b/doc/release/upcoming_changes/19539.expired.rst
@@ -0,0 +1,2 @@
 +* Using the strings ``"Bytes0"``, ``"Datetime64"``, ``"Str0"``, ``"Uint32"``,
 +  and ``"Uint64"`` as a dtype will now raise a ``TypeError``.
 \ No newline at end of file
 diff --git a/numpy/core/_type_aliases.py b/numpy/core/_type_aliases.py
 index 67addef..3765a0d 100644
 --- a/numpy/core/_type_aliases.py
 +++ b/numpy/core/_type_aliases.py
@@ -115,15 +115,6 @@ def _add_aliases():
         # add forward, reverse, and string mapping to numarray
         sctypeDict[char] = info.type
 -    # Add deprecated numeric-style type aliases manually, at some point
 -    # we may want to deprecate the lower case "bytes0" version as well.
 -    for name in ["Bytes0", "Datetime64", "Str0", "Uint32", "Uint64"]:
 -        if english_lower(name) not in allTypes:
 -            # Only one of Uint32 or Uint64, aliases of `np.uintp`, was (and is) defined, note that this
 -            # is not UInt32/UInt64 (capital i), which is removed.
 -            continue
 -        allTypes[name] = allTypes[english_lower(name)]
 -        sctypeDict[name] = sctypeDict[english_lower(name)]
 _add_aliases()
 diff --git a/numpy/core/src/multiarray/descriptor.c b/numpy/core/src/multiarray/descriptor.c
 index 50964da..90453e3 100644
 --- a/numpy/core/src/multiarray/descriptor.c
 +++ b/numpy/core/src/multiarray/descriptor.c
@@ -1723,22 +1723,6 @@ _convert_from_str(PyObject *obj, int align)
             goto fail;
         }
 -        /* Check for a deprecated Numeric-style typecode */
 -        /* `Uint` has deliberately weird uppercasing */
 -        char *dep_tps[] = {"Bytes", "Datetime64", "Str", "Uint"};
 -        int ndep_tps = sizeof(dep_tps) / sizeof(dep_tps[0]);
 -        for (int i = 0; i < ndep_tps; ++i) {
 -            char *dep_tp = dep_tps[i];
 -
 -            if (strncmp(type, dep_tp, strlen(dep_tp)) == 0) {
 -                /* Deprecated 2020-06-09, NumPy 1.20 */
 -                if (DEPRECATE("Numeric-style type codes are "
 -                              "deprecated and will result in "
 -                              "an error in the future.") < 0) {
 -                    goto fail;
 -                }
 -            }
 -        }
         /*
          * Probably only ever dispatches to `_convert_from_type`, but who
          * knows what users are injecting into `np.typeDict`.
 diff --git a/numpy/core/tests/test_deprecations.py b/numpy/core/tests/test_deprecations.py
 index 42e632e..44a3ed7 100644
 --- a/numpy/core/tests/test_deprecations.py
 +++ b/numpy/core/tests/test_deprecations.py
@@ -314,21 +314,6 @@ def test_insufficient_width_negative(self):
         self.assert_deprecated(np.binary_repr, args=args, kwargs=kwargs)
 -class TestNumericStyleTypecodes(_DeprecationTestCase):
 -    """
 -    Most numeric style typecodes were previously deprecated (and removed)
 -    in 1.20. This also deprecates the remaining ones.
 -    """
 -    # 2020-06-09, NumPy 1.20
 -    def test_all_dtypes(self):
 -        deprecated_types = ['Bytes0', 'Datetime64', 'Str0']
 -        # Depending on intp size, either Uint32 or Uint64 is defined:
 -        deprecated_types.append(f"U{np.dtype(np.intp).name}")
 -        for dt in deprecated_types:
 -            self.assert_deprecated(np.dtype, exceptions=(TypeError,),
 -                                   args=(dt,))
 -
 -
 class TestDTypeAttributeIsDTypeDeprecation(_DeprecationTestCase):
     # Deprecated 2021-01-05, NumPy 1.21
     message = r".*`.dtype` attribute"
 diff --git a/numpy/core/tests/test_dtype.py b/numpy/core/tests/test_dtype.py
 index 4f52268..23269f0 100644
 --- a/numpy/core/tests/test_dtype.py
 +++ b/numpy/core/tests/test_dtype.py
@@ -109,9 +109,12 @@ def test_richcompare_invalid_dtype_comparison(self, operation):
             operation(np.dtype(np.int32), 7)
     @pytest.mark.parametrize("dtype",
 -             ['Bool', 'Complex32', 'Complex64', 'Float16', 'Float32', 'Float64',
 -              'Int8', 'Int16', 'Int32', 'Int64', 'Object0', 'Timedelta64',
 -              'UInt8', 'UInt16', 'UInt32', 'UInt64', 'Void0',
 +             ['Bool', 'Bytes0', 'Complex32', 'Complex64',
 +              'Datetime64', 'Float16', 'Float32', 'Float64',
 +              'Int8', 'Int16', 'Int32', 'Int64', 
 +              'Object0', 'Str0', 'Timedelta64',
 +              'UInt8', 'UInt16', 'Uint32', 'UInt32', 
 +              'Uint64', 'UInt64', 'Void0',
               "Float128", "Complex128"])
     def test_numeric_style_types_are_invalid(self, dtype):
         with assert_raises(TypeError):
 -- 
 1.8.3.1
--- a/numpy.spec
+++ b/numpy.spec
@ -2,7 +2,7 @@
 Name:           numpy
 Version:        1.21.4
-Release:        3
+Release:        4
 Epoch:          1
 Summary:        A fast multidimensional array facility for Python
@ -16,6 +16,7 @@ BuildRequires:  python3-Cython >= 0.29.24
 Patch0:         backport-CVE-2021-41496.patch
 Patch1:         backport-CVE-2021-41495.patch
 Patch2:         backport-CVE-2021-34141.patch
 %description
 NumPy is the fundamental package for scientific computing with Python. It contains among other things:
@ -105,8 +106,14 @@ popd &> /dev/null
 %changelog
-+* Tue Feb 08 2022 renhongxun <renhongxun@h-partners.com> - 1.21.4-3
+* Tue May 31 2022 huangduirong <huangduirong@huawei.com> - 1.21.4-4
-+- fix CVE-2021-41495
+- Type:CVE
 - ID:CVE-2021-34141
 - SUGA:NA
 - DESC:fix CVE-2021-34141
 * Tue Feb 08 2022 renhongxun <renhongxun@h-partners.com> - 1.21.4-3
 - fix CVE-2021-41495
 * Wed Jan 05 2022 yuanxin <yuanxin24@huawei.com> - 1.21.4-2
 - fix CVE-2021-41496