!47 手工回合修复CVE-2021-34141

From: @huangduirong Reviewed-by: @licihua Signed-off-by: @licihua
2022-05-31 06:48:24 +00:00 · 2022-05-31 06:48:24 +00:00 · b8111500e2
commit b8111500e2
parent 5ec7858956 63f131a210
2 changed files with 154 additions and 3 deletions
--- a/backport-CVE-2021-34141.patch
+++ b/backport-CVE-2021-34141.patch
@ -0,0 +1,144 @@
+From eeef9d4646103c3b1afd3085f1393f2b3f9575b2 Mon Sep 17 00:00:00 2001
+From: NectDz <54990613+NectDz@users.noreply.github.com>
+Date: Tue, 10 Aug 2021 18:00:35 -0500
+Subject: [PATCH] DEP: Remove deprecated numeric style dtype strings (#19539)
+
+Finishes the deprecation, and effectively closes gh-18993
+
+* Insecure String Comparison
+
+* Finished Deprecations
+
+* Breaks numpy types
+
+* Removed elements in dep_tps
+
+* Delete Typecode Comment
+
+* Deleted for loop
+
+* Fixed 80 characters or more issue
+
+* Expired Release Note
+
+* Updated Release Note
+
+* Update numpy/core/numerictypes.py
+
+* Update numpy/core/tests/test_deprecations.py
+
+Co-authored-by: Sebastian Berg <sebastian@sipsolutions.net>
+---
+ doc/release/upcoming_changes/19539.expired.rst |  2 ++
+ numpy/core/_type_aliases.py                    |  9 ---------
+ numpy/core/src/multiarray/descriptor.c         | 16 ----------------
+ numpy/core/tests/test_deprecations.py          | 15 ---------------
+ numpy/core/tests/test_dtype.py                 |  9 ++++++---
+ 5 files changed, 8 insertions(+), 43 deletions(-)
+ create mode 100644 doc/release/upcoming_changes/19539.expired.rst
+
+diff --git a/doc/release/upcoming_changes/19539.expired.rst b/doc/release/upcoming_changes/19539.expired.rst
+new file mode 100644
+index 0000000..6e94f17
+--- /dev/null
+++ b/doc/release/upcoming_changes/19539.expired.rst
+@@ -0,0 +1,2 @@
+* Using the strings ``"Bytes0"``, ``"Datetime64"``, ``"Str0"``, ``"Uint32"``,
+  and ``"Uint64"`` as a dtype will now raise a ``TypeError``.
+\ No newline at end of file
+diff --git a/numpy/core/_type_aliases.py b/numpy/core/_type_aliases.py
+index 67addef..3765a0d 100644
+--- a/numpy/core/_type_aliases.py
+++ b/numpy/core/_type_aliases.py
+@@ -115,15 +115,6 @@ def _add_aliases():
+         # add forward, reverse, and string mapping to numarray
+         sctypeDict[char] = info.type
+ 
+-    # Add deprecated numeric-style type aliases manually, at some point
+-    # we may want to deprecate the lower case "bytes0" version as well.
+-    for name in ["Bytes0", "Datetime64", "Str0", "Uint32", "Uint64"]:
+-        if english_lower(name) not in allTypes:
+-            # Only one of Uint32 or Uint64, aliases of `np.uintp`, was (and is) defined, note that this
+-            # is not UInt32/UInt64 (capital i), which is removed.
+-            continue
+-        allTypes[name] = allTypes[english_lower(name)]
+-        sctypeDict[name] = sctypeDict[english_lower(name)]
+ 
+ _add_aliases()
+ 
+diff --git a/numpy/core/src/multiarray/descriptor.c b/numpy/core/src/multiarray/descriptor.c
+index 50964da..90453e3 100644
+--- a/numpy/core/src/multiarray/descriptor.c
+++ b/numpy/core/src/multiarray/descriptor.c
+@@ -1723,22 +1723,6 @@ _convert_from_str(PyObject *obj, int align)
+             goto fail;
+         }
+ 
+-        /* Check for a deprecated Numeric-style typecode */
+-        /* `Uint` has deliberately weird uppercasing */
+-        char *dep_tps[] = {"Bytes", "Datetime64", "Str", "Uint"};
+-        int ndep_tps = sizeof(dep_tps) / sizeof(dep_tps[0]);
+-        for (int i = 0; i < ndep_tps; ++i) {
+-            char *dep_tp = dep_tps[i];
+-
+-            if (strncmp(type, dep_tp, strlen(dep_tp)) == 0) {
+-                /* Deprecated 2020-06-09, NumPy 1.20 */
+-                if (DEPRECATE("Numeric-style type codes are "
+-                              "deprecated and will result in "
+-                              "an error in the future.") < 0) {
+-                    goto fail;
+-                }
+-            }
+-        }
+         /*
+          * Probably only ever dispatches to `_convert_from_type`, but who
+          * knows what users are injecting into `np.typeDict`.
+diff --git a/numpy/core/tests/test_deprecations.py b/numpy/core/tests/test_deprecations.py
+index 42e632e..44a3ed7 100644
+--- a/numpy/core/tests/test_deprecations.py
+++ b/numpy/core/tests/test_deprecations.py
+@@ -314,21 +314,6 @@ def test_insufficient_width_negative(self):
+         self.assert_deprecated(np.binary_repr, args=args, kwargs=kwargs)
+ 
+ 
+-class TestNumericStyleTypecodes(_DeprecationTestCase):
+-    """
+-    Most numeric style typecodes were previously deprecated (and removed)
+-    in 1.20. This also deprecates the remaining ones.
+-    """
+-    # 2020-06-09, NumPy 1.20
+-    def test_all_dtypes(self):
+-        deprecated_types = ['Bytes0', 'Datetime64', 'Str0']
+-        # Depending on intp size, either Uint32 or Uint64 is defined:
+-        deprecated_types.append(f"U{np.dtype(np.intp).name}")
+-        for dt in deprecated_types:
+-            self.assert_deprecated(np.dtype, exceptions=(TypeError,),
+-                                   args=(dt,))
+-
+-
+ class TestDTypeAttributeIsDTypeDeprecation(_DeprecationTestCase):
+     # Deprecated 2021-01-05, NumPy 1.21
+     message = r".*`.dtype` attribute"
+diff --git a/numpy/core/tests/test_dtype.py b/numpy/core/tests/test_dtype.py
+index 4f52268..23269f0 100644
+--- a/numpy/core/tests/test_dtype.py
+++ b/numpy/core/tests/test_dtype.py
+@@ -109,9 +109,12 @@ def test_richcompare_invalid_dtype_comparison(self, operation):
+             operation(np.dtype(np.int32), 7)
+ 
+     @pytest.mark.parametrize("dtype",
+-             ['Bool', 'Complex32', 'Complex64', 'Float16', 'Float32', 'Float64',
+-              'Int8', 'Int16', 'Int32', 'Int64', 'Object0', 'Timedelta64',
+-              'UInt8', 'UInt16', 'UInt32', 'UInt64', 'Void0',
+             ['Bool', 'Bytes0', 'Complex32', 'Complex64',
+              'Datetime64', 'Float16', 'Float32', 'Float64',
+              'Int8', 'Int16', 'Int32', 'Int64', 
+              'Object0', 'Str0', 'Timedelta64',
+              'UInt8', 'UInt16', 'Uint32', 'UInt32', 
+              'Uint64', 'UInt64', 'Void0',
+               "Float128", "Complex128"])
+     def test_numeric_style_types_are_invalid(self, dtype):
+         with assert_raises(TypeError):
+-- 
+1.8.3.1
+
--- a/numpy.spec
+++ b/numpy.spec
@ -2,7 +2,7 @@

 Name:           numpy
 Version:        1.21.4
-Release:        3
+Release:        4
 Epoch:          1
 Summary:        A fast multidimensional array facility for Python

@ -16,6 +16,7 @@ BuildRequires:  python3-Cython >= 0.29.24

 Patch0:         backport-CVE-2021-41496.patch
 Patch1:         backport-CVE-2021-41495.patch
+Patch2:         backport-CVE-2021-34141.patch

 %description
 NumPy is the fundamental package for scientific computing with Python. It contains among other things:
@ -105,8 +106,14 @@ popd &> /dev/null


 %changelog
-+* Tue Feb 08 2022 renhongxun <renhongxun@h-partners.com> - 1.21.4-3
-+- fix CVE-2021-41495
+* Tue May 31 2022 huangduirong <huangduirong@huawei.com> - 1.21.4-4
+- Type:CVE
+- ID:CVE-2021-34141
+- SUGA:NA
+- DESC:fix CVE-2021-34141
+
+* Tue Feb 08 2022 renhongxun <renhongxun@h-partners.com> - 1.21.4-3
+- fix CVE-2021-41495

 * Wed Jan 05 2022 yuanxin <yuanxin24@huawei.com> - 1.21.4-2
 - fix CVE-2021-41496