commit python-nltk for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-nltk for openSUSE:Factory checked in at 2024-07-26 16:16:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-nltk (Old) and /work/SRC/openSUSE:Factory/.python-nltk.new.1882 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-nltk" Fri Jul 26 16:16:05 2024 rev:17 rq:1189727 version:3.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-nltk/python-nltk.changes 2024-07-04 16:25:22.072097966 +0200 +++ /work/SRC/openSUSE:Factory/.python-nltk.new.1882/python-nltk.changes 2024-07-26 16:16:30.880155750 +0200 @@ -1,0 +2,8 @@ +Fri Jul 26 07:14:33 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com> + +- Add CVE-2024-39705.patch upstream patch to fix unsafe pickle usage. + (CVE-2024-39705, gh#nltk/nltk#3266, bsc#1227174). +- Drop CVE-2024-39705-disable-download.patch as it's not needed + anymore. + +------------------------------------------------------------------- Old: ---- CVE-2024-39705-disable-download.patch New: ---- CVE-2024-39705.patch BETA DEBUG BEGIN: Old: (CVE-2024-39705, gh#nltk/nltk#3266, bsc#1227174). - Drop CVE-2024-39705-disable-download.patch as it's not needed anymore. BETA DEBUG END: BETA DEBUG BEGIN: New: - Add CVE-2024-39705.patch upstream patch to fix unsafe pickle usage. (CVE-2024-39705, gh#nltk/nltk#3266, bsc#1227174). BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-nltk.spec ++++++ --- /var/tmp/diff_new_pack.G8VrHs/_old 2024-07-26 16:16:35.236331053 +0200 +++ /var/tmp/diff_new_pack.G8VrHs/_new 2024-07-26 16:16:35.252331697 +0200 @@ -63,9 +63,8 @@ Patch0: skip-networked-test.patch # PATCH-FIX-UPSTREAM nltk-pr3207-py312.patch gh#nltk/nltk#3207 Patch1: nltk-pr3207-py312.patch -# PATCH-FIX-UPSTREAM CVE-2024-39705-disable-download.patch bsc#1227174 mcepl@suse.com -# this patch makes things totally awesome -Patch2: CVE-2024-39705-disable-download.patch +# PATCH-FIX-UPSTREAM CVE-2024-39705.patch bsc#1227174 gh#nltk/nltk#3290 +Patch2: CVE-2024-39705.patch BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} ++++++ CVE-2024-39705-disable-download.patch -> CVE-2024-39705.patch ++++++ --- /work/SRC/openSUSE:Factory/python-nltk/CVE-2024-39705-disable-download.patch 2024-07-04 16:25:21.136063781 +0200 +++ /work/SRC/openSUSE:Factory/.python-nltk.new.1882/CVE-2024-39705.patch 2024-07-26 16:16:30.856154784 +0200 @@ -1,104 +1,38 @@ +From a12d0a6a8cdba58d5e4e5f92ac62bb80fc26c624 Mon Sep 17 00:00:00 2001 +From: Eric Kafe <kafe.eric@gmail.com> +Date: Tue, 23 Jul 2024 09:09:09 +0200 +Subject: [PATCH] Prevent data.load from unpickling classes or functions + --- - nltk/app/chartparser_app.py | 13 +++++++++++++ - nltk/corpus/reader/util.py | 2 ++ - nltk/data.py | 2 ++ - nltk/parse/transitionparser.py | 2 ++ - nltk/tbl/demo.py | 4 +++- - 5 files changed, 22 insertions(+), 1 deletion(-) + nltk/data.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) ---- a/nltk/app/chartparser_app.py -+++ b/nltk/app/chartparser_app.py -@@ -800,6 +800,10 @@ class ChartComparer: - showerror("Error Saving Chart", f"Unable to open file: {filename!r}\n{e}") - - def load_chart_dialog(self, *args): -+ showerror("Security Error", -+ "Due to gh#nltk/nltk#3266, deserializing from " + -+ "a pickle is forbidden.") -+ return - filename = askopenfilename( - filetypes=self.CHART_FILE_TYPES, defaultextension=".pickle" - ) -@@ -811,6 +815,8 @@ class ChartComparer: - showerror("Error Loading Chart", f"Unable to open file: {filename!r}\n{e}") - - def load_chart(self, filename): -+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " + -+ "a pickle is forbidden.") - with open(filename, "rb") as infile: - chart = pickle.load(infile) - name = os.path.basename(filename) -@@ -2268,6 +2274,10 @@ class ChartParserApp: - if not filename: - return - try: -+ showerror("Security Error", -+ "Due to gh#nltk/nltk#3266, deserializing from " + -+ "a pickle is forbidden.") -+ return - with open(filename, "rb") as infile: - chart = pickle.load(infile) - self._chart = chart -@@ -2306,6 +2316,9 @@ class ChartParserApp: - return - try: - if filename.endswith(".pickle"): -+ showerror("Due to gh#nltk/nltk#3266, deserializing from " + -+ "a pickle is forbidden.") -+ return - with open(filename, "rb") as infile: - grammar = pickle.load(infile) - else: ---- a/nltk/corpus/reader/util.py -+++ b/nltk/corpus/reader/util.py -@@ -521,6 +521,8 @@ class PickleCorpusView(StreamBackedCorpu - - def read_block(self, stream): - result = [] -+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " + -+ "a pickle is forbidden.") - for i in range(self.BLOCK_SIZE): - try: - result.append(pickle.load(stream)) +diff --git a/nltk/data.py b/nltk/data.py +index cc9229b0a2..fb242721c5 100644 --- a/nltk/data.py +++ b/nltk/data.py -@@ -752,6 +752,8 @@ def load( +@@ -658,6 +658,15 @@ def retrieve(resource_url, filename=None, verbose=True): + } + + ++def restricted_pickle_load(string): ++ """ ++ Prevents any class or function from loading. ++ """ ++ from nltk.app.wordnet_app import RestrictedUnpickler ++ ++ return RestrictedUnpickler(BytesIO(string)).load() ++ ++ + def load( + resource_url, + format="auto", +@@ -751,7 +760,7 @@ def load( if format == "raw": resource_val = opened_resource.read() elif format == "pickle": -+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " + -+ "a pickle is forbidden.") - resource_val = pickle.load(opened_resource) +- resource_val = pickle.load(opened_resource) ++ resource_val = restricted_pickle_load(opened_resource.read()) elif format == "json": import json ---- a/nltk/parse/transitionparser.py -+++ b/nltk/parse/transitionparser.py -@@ -553,6 +553,8 @@ class TransitionParser(ParserI): - """ - result = [] - # First load the model -+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " + -+ "a pickle is forbidden.") - model = pickle.load(open(modelFile, "rb")) - operation = Transition(self._algorithm) ---- a/nltk/tbl/demo.py -+++ b/nltk/tbl/demo.py -@@ -253,6 +253,8 @@ def postag( - ) - ) - with open(cache_baseline_tagger) as print_rules: -+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " + -+ "a pickle is forbidden.") - baseline_tagger = pickle.load(print_rules) - print(f"Reloaded pickled tagger from {cache_baseline_tagger}") - else: -@@ -327,7 +329,7 @@ def postag( - with open(serialize_output) as print_rules: - brill_tagger_reloaded = pickle.load(print_rules) - print(f"Reloaded pickled tagger from {serialize_output}") -- taggedtest_reloaded = brill_tagger.tag_sents(testing_data) -+ taggedtest_reloaded = brill_tagger_reloaded.tag_sents(testing_data) - if taggedtest == taggedtest_reloaded: - print("Reloaded tagger tried on test set, results identical") - else:
participants (1)
-
Source-Sync