From f4342635241ab7193b913347945290e4a2da7179df12542f4dca6f62bcd0cc0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mark=C3=A9ta=20Machov=C3=A1?= Date: Tue, 11 Oct 2022 15:42:53 +0000 Subject: [PATCH 1/3] Accepting request 1009807 from home:bnavigator:branches:devel:languages:python:numeric - Update to 1.2.0 * Fix a security issue where eval(pre_dispatch) could potentially run arbitrary code. Now only basic numerics are supported. #1327 * Make sure that joblib works even when multiprocessing is not available, for instance with Pyodide #1256 * Avoid unnecessary warnings when workers and main process delete the temporary memmap folder contents concurrently. #1263 * Vendor loky 3.1.0 with several fixes to more robustly forcibly terminate worker processes in case of a crash. #1269 * Fix memory alignment bug for pickles containing numpy arrays. This is especially important when loading the pickle with mmap_mode != None as the resulting numpy.memmap object would not be able to correct the misalignment without performing a memory copy. This bug would cause invalid computation and segmentation faults with native code that would directly access the underlying data buffer of a numpy array, for instance C/C++/Cython code compiled with older GCC versions or some old OpenBLAS written in platform specific assembly. #1254 * Vendor cloudpickle 2.2.0 which adds support for PyPy 3.8+. * Vendor loky 3.3.0 which fixes a bug with leaking processes in case of nested loky parallel calls and more reliability spawn the correct number of reusable workers. - Drop support-setuptools-62.patch OBS-URL: https://build.opensuse.org/request/show/1009807 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-joblib?expand=0&rev=52 --- joblib-1.1.0.tar.gz | 3 --- joblib-1.2.0.tar.gz | 3 +++ python-joblib.changes | 28 ++++++++++++++++++++++++++++ python-joblib.spec | 8 +++----- support-setuptools-62.patch | 13 ------------- 5 files changed, 34 insertions(+), 21 deletions(-) delete mode 100644 joblib-1.1.0.tar.gz create mode 100644 joblib-1.2.0.tar.gz delete mode 100644 support-setuptools-62.patch diff --git a/joblib-1.1.0.tar.gz b/joblib-1.1.0.tar.gz deleted file mode 100644 index 220a876..0000000 --- a/joblib-1.1.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4158fcecd13733f8be669be0683b96ebdbbd38d23559f54dca7205aea1bf1e35 -size 2063601 diff --git a/joblib-1.2.0.tar.gz b/joblib-1.2.0.tar.gz new file mode 100644 index 0000000..a29691a --- /dev/null +++ b/joblib-1.2.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e1cee4a79e4af22881164f218d4311f60074197fb707e082e803b61f6d137018 +size 313200 diff --git a/python-joblib.changes b/python-joblib.changes index 90e9e6a..a364f97 100644 --- a/python-joblib.changes +++ b/python-joblib.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Tue Oct 11 13:20:33 UTC 2022 - Ben Greiner + +- Update to 1.2.0 + * Fix a security issue where eval(pre_dispatch) could potentially + run arbitrary code. Now only basic numerics are supported. + #1327 + * Make sure that joblib works even when multiprocessing is not + available, for instance with Pyodide #1256 + * Avoid unnecessary warnings when workers and main process delete + the temporary memmap folder contents concurrently. #1263 + * Vendor loky 3.1.0 with several fixes to more robustly forcibly + terminate worker processes in case of a crash. #1269 + * Fix memory alignment bug for pickles containing numpy arrays. + This is especially important when loading the pickle with + mmap_mode != None as the resulting numpy.memmap object would + not be able to correct the misalignment without performing a + memory copy. This bug would cause invalid computation and + segmentation faults with native code that would directly access + the underlying data buffer of a numpy array, for instance + C/C++/Cython code compiled with older GCC versions or some old + OpenBLAS written in platform specific assembly. #1254 + * Vendor cloudpickle 2.2.0 which adds support for PyPy 3.8+. + * Vendor loky 3.3.0 which fixes a bug with leaking processes in + case of nested loky parallel calls and more reliability spawn + the correct number of reusable workers. +- Drop support-setuptools-62.patch + ------------------------------------------------------------------- Wed Jul 20 11:00:18 UTC 2022 - Steve Kowalik diff --git a/python-joblib.spec b/python-joblib.spec index 95a5c73..373dc4d 100644 --- a/python-joblib.spec +++ b/python-joblib.spec @@ -16,16 +16,14 @@ # -%{?!python_module:%define python_module() python-%{**} python3-%{**}} -%global skip_python2 1 Name: python-joblib -Version: 1.1.0 +Version: 1.2.0 Release: 0 Summary: Module for using Python functions as pipeline jobs License: BSD-3-Clause URL: https://github.com/joblib/joblib Source: https://files.pythonhosted.org/packages/source/j/joblib/joblib-%{version}.tar.gz -Patch0: support-setuptools-62.patch +BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module lz4} BuildRequires: %{python_module numpy} BuildRequires: %{python_module psutil} @@ -111,7 +109,7 @@ fi %files %{python_files} %license LICENSE.txt %doc README.rst -%{python_sitelib}/joblib-%{version}-py*.egg-info +%{python_sitelib}/joblib-%{version}*-info %{python_sitelib}/joblib/ %changelog diff --git a/support-setuptools-62.patch b/support-setuptools-62.patch deleted file mode 100644 index cf80b60..0000000 --- a/support-setuptools-62.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: joblib-1.1.0/joblib/test/test_numpy_pickle.py -=================================================================== ---- joblib-1.1.0.orig/joblib/test/test_numpy_pickle.py -+++ joblib-1.1.0/joblib/test/test_numpy_pickle.py -@@ -279,7 +279,7 @@ def test_compress_mmap_mode_warning(tmpd - numpy_pickle.dump(a, this_filename, compress=1) - with warns(UserWarning) as warninfo: - numpy_pickle.load(this_filename, mmap_mode='r+') -- assert len(warninfo) == 1 -+ assert len(warninfo) >= 1 - assert (str(warninfo[0].message) == - 'mmap_mode "%(mmap_mode)s" is not compatible with compressed ' - 'file %(filename)s. "%(mmap_mode)s" flag will be ignored.' % From 027cdc94e6d051a3cbd472b401a291dbc8478686f3bc345500bba22bd639a64a Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 12 Oct 2022 09:23:51 +0000 Subject: [PATCH 2/3] - Update to 1.2.0 (CVE-2022-21797) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-joblib?expand=0&rev=53 --- python-joblib.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-joblib.changes b/python-joblib.changes index a364f97..d436537 100644 --- a/python-joblib.changes +++ b/python-joblib.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- Tue Oct 11 13:20:33 UTC 2022 - Ben Greiner -- Update to 1.2.0 +- Update to 1.2.0 (CVE-2022-21797) * Fix a security issue where eval(pre_dispatch) could potentially run arbitrary code. Now only basic numerics are supported. #1327 From bfcfcbcb1229881788560b97cb6f7f6f9532bc12d834c474a70ea8fad285e860 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Wed, 12 Oct 2022 09:49:46 +0000 Subject: [PATCH 3/3] - Update to 1.2.0 (CVE-2022-21797, bsc#1204232) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-joblib?expand=0&rev=54 --- python-joblib.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-joblib.changes b/python-joblib.changes index d436537..c9cf0eb 100644 --- a/python-joblib.changes +++ b/python-joblib.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- Tue Oct 11 13:20:33 UTC 2022 - Ben Greiner -- Update to 1.2.0 (CVE-2022-21797) +- Update to 1.2.0 (CVE-2022-21797, bsc#1204232) * Fix a security issue where eval(pre_dispatch) could potentially run arbitrary code. Now only basic numerics are supported. #1327