From e3fe31f4a2c44fef8da55c60c3f95a763fdfd3c7 Mon Sep 17 00:00:00 2001 From: Nicolás Reynolds Date: Wed, 12 Feb 2014 03:48:50 +0000 Subject: Wed Feb 12 03:44:41 UTC 2014 --- extra/python-numpy/PKGBUILD | 14 +- extra/python-numpy/numpy-insecure-mktemp-use.patch | 263 +++++++++++++++++++++ 2 files changed, 273 insertions(+), 4 deletions(-) create mode 100644 extra/python-numpy/numpy-insecure-mktemp-use.patch (limited to 'extra/python-numpy') diff --git a/extra/python-numpy/PKGBUILD b/extra/python-numpy/PKGBUILD index 5df819ca9..a9d6dd708 100755 --- a/extra/python-numpy/PKGBUILD +++ b/extra/python-numpy/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 200823 2013-12-06 08:09:29Z jgc $ +# $Id: PKGBUILD 205836 2014-02-11 12:33:14Z jgc $ # Maintainer: Jan de Groot # Contributor: Douglas Soares de Andrade # Contributor: Angel 'angvp' Velasquez @@ -6,17 +6,23 @@ pkgbase=python-numpy pkgname=('python2-numpy' 'python-numpy') pkgver=1.8.0 -pkgrel=1 +pkgrel=2 pkgdesc="Scientific tools for Python" arch=('i686' 'x86_64') license=('custom') url="http://www.numpy.org/" makedepends=('lapack' 'python' 'python2' 'python-setuptools' 'python2-setuptools' 'gcc-fortran' 'python-nose' 'python2-nose') options=('staticlibs') -source=(http://downloads.sourceforge.net/numpy/numpy-${pkgver}.tar.gz) -md5sums=('2a4b0423a758706d592abb6721ec8dcd') +source=(http://downloads.sourceforge.net/numpy/numpy-${pkgver}.tar.gz + numpy-insecure-mktemp-use.patch) +md5sums=('2a4b0423a758706d592abb6721ec8dcd' + '2caf84740b54dcb5fa1d47e72201f294') prepare() { + cd numpy-$pkgver + patch -Np1 -i ../numpy-insecure-mktemp-use.patch + cd .. + cp -a numpy-$pkgver numpy-py2-$pkgver cd numpy-py2-$pkgver diff --git a/extra/python-numpy/numpy-insecure-mktemp-use.patch b/extra/python-numpy/numpy-insecure-mktemp-use.patch new file mode 100644 index 000000000..8ecdcedfa --- /dev/null +++ b/extra/python-numpy/numpy-insecure-mktemp-use.patch @@ -0,0 +1,263 @@ +--- a/numpy/lib/tests/test_io.py 2013-10-30 19:32:51.000000000 +0100 ++++ b/numpy/lib/tests/test_io.py 2014-02-10 08:30:12.903607138 +0100 +@@ -4,7 +4,9 @@ + import gzip + import os + import threading +-from tempfile import mkstemp, mktemp, NamedTemporaryFile ++import shutil ++import contextlib ++from tempfile import mkstemp, mkdtemp, NamedTemporaryFile + import time + import warnings + import gc +@@ -21,6 +23,12 @@ + assert_raises, run_module_suite) + from numpy.testing import assert_warns, assert_, build_err_msg + ++@contextlib.contextmanager ++def tempdir(change_dir=False): ++ tmpdir = mkdtemp() ++ yield tmpdir ++ shutil.rmtree(tmpdir) ++ + + class TextIO(BytesIO): + """Helper IO class. +@@ -145,14 +153,14 @@ + @np.testing.dec.slow + def test_big_arrays(self): + L = (1 << 31) + 100000 +- tmp = mktemp(suffix='.npz') + a = np.empty(L, dtype=np.uint8) +- np.savez(tmp, a=a) +- del a +- npfile = np.load(tmp) +- a = npfile['a'] +- npfile.close() +- os.remove(tmp) ++ with tempdir() as tmpdir: ++ tmp = open(os.path.join(tmpdir, "file.npz"), "w") ++ np.savez(tmp, a=a) ++ del a ++ npfile = np.load(tmp) ++ a = npfile['a'] ++ npfile.close() + + def test_multiple_arrays(self): + a = np.array([[1, 2], [3, 4]], float) +commit 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 +Author: Julian Taylor +Date: Wed Feb 5 23:01:47 2014 +0100 + + ENH: remove insecure mktemp use + + mktemp only returns a filename, a malicous user could replace it before + it gets used. + +diff --git a/numpy/core/tests/test_memmap.py b/numpy/core/tests/test_memmap.py +index 6de6319..10e7a08 100644 +--- a/numpy/core/tests/test_memmap.py ++++ b/numpy/core/tests/test_memmap.py +@@ -1,7 +1,7 @@ + from __future__ import division, absolute_import, print_function + + import sys +-from tempfile import NamedTemporaryFile, TemporaryFile, mktemp ++from tempfile import NamedTemporaryFile, TemporaryFile + import os + + from numpy import memmap +@@ -33,12 +33,11 @@ class TestMemmap(TestCase): + assert_array_equal(self.data, newfp) + + def test_open_with_filename(self): +- tmpname = mktemp('', 'mmap') +- fp = memmap(tmpname, dtype=self.dtype, mode='w+', +- shape=self.shape) +- fp[:] = self.data[:] +- del fp +- os.unlink(tmpname) ++ with NamedTemporaryFile() as tmp: ++ fp = memmap(tmp.name, dtype=self.dtype, mode='w+', ++ shape=self.shape) ++ fp[:] = self.data[:] ++ del fp + + def test_unnamed_file(self): + with TemporaryFile() as f: +@@ -55,17 +54,16 @@ class TestMemmap(TestCase): + del fp + + def test_filename(self): +- tmpname = mktemp('', 'mmap') +- fp = memmap(tmpname, dtype=self.dtype, mode='w+', +- shape=self.shape) +- abspath = os.path.abspath(tmpname) +- fp[:] = self.data[:] +- self.assertEqual(abspath, fp.filename) +- b = fp[:1] +- self.assertEqual(abspath, b.filename) +- del b +- del fp +- os.unlink(tmpname) ++ with NamedTemporaryFile() as tmp: ++ fp = memmap(tmp.name, dtype=self.dtype, mode='w+', ++ shape=self.shape) ++ abspath = os.path.abspath(tmp.name) ++ fp[:] = self.data[:] ++ self.assertEqual(abspath, fp.filename) ++ b = fp[:1] ++ self.assertEqual(abspath, b.filename) ++ del b ++ del fp + + def test_filename_fileobj(self): + fp = memmap(self.tmpfp, dtype=self.dtype, mode="w+", +diff --git a/numpy/core/tests/test_multiarray.py b/numpy/core/tests/test_multiarray.py +index c2ac009..a6f7b34 100644 +--- a/numpy/core/tests/test_multiarray.py ++++ b/numpy/core/tests/test_multiarray.py +@@ -2316,12 +2316,11 @@ class TestIO(object): + self.x = rand(shape) + rand(shape).astype(np.complex)*1j + self.x[0,:, 1] = [nan, inf, -inf, nan] + self.dtype = self.x.dtype +- self.filename = tempfile.mktemp() ++ self.file = tempfile.NamedTemporaryFile() ++ self.filename = self.file.name + + def tearDown(self): +- if os.path.isfile(self.filename): +- os.unlink(self.filename) +- #tmp_file.close() ++ self.file.close() + + def test_bool_fromstring(self): + v = np.array([True, False, True, False], dtype=np.bool_) +@@ -2349,7 +2348,6 @@ class TestIO(object): + y = np.fromfile(f, dtype=self.dtype) + f.close() + assert_array_equal(y, self.x.flat) +- os.unlink(self.filename) + + def test_roundtrip_filename(self): + self.x.tofile(self.filename) +@@ -2535,7 +2529,6 @@ class TestIO(object): + s = f.read() + f.close() + assert_equal(s, '1.51,2.0,3.51,4.0') +- os.unlink(self.filename) + + def test_tofile_format(self): + x = np.array([1.51, 2, 3.51, 4], dtype=float) +diff --git a/numpy/f2py/__init__.py b/numpy/f2py/__init__.py +index ccdbd4e..fcfd185 100644 +--- a/numpy/f2py/__init__.py ++++ b/numpy/f2py/__init__.py +@@ -28,20 +28,20 @@ def compile(source, + from numpy.distutils.exec_command import exec_command + import tempfile + if source_fn is None: +- fname = os.path.join(tempfile.mktemp()+'.f') ++ f = tempfile.NamedTemporaryFile(suffix='.f') + else: +- fname = source_fn +- +- f = open(fname, 'w') +- f.write(source) +- f.close() +- +- args = ' -c -m %s %s %s'%(modulename, fname, extra_args) +- c = '%s -c "import numpy.f2py as f2py2e;f2py2e.main()" %s' %(sys.executable, args) +- s, o = exec_command(c) +- if source_fn is None: +- try: os.remove(fname) +- except OSError: pass ++ f = open(source_fn, 'w') ++ ++ try: ++ f.write(source) ++ f.flush() ++ ++ args = ' -c -m %s %s %s'%(modulename, f.name, extra_args) ++ c = '%s -c "import numpy.f2py as f2py2e;f2py2e.main()" %s' % \ ++ (sys.executable, args) ++ s, o = exec_command(c) ++ finally: ++ f.close() + return s + + from numpy.testing import Tester +diff --git a/numpy/f2py/f2py2e.py b/numpy/f2py/f2py2e.py +index ff9d19e..25407d4 100755 +--- a/numpy/f2py/f2py2e.py ++++ b/numpy/f2py/f2py2e.py +@@ -91,7 +91,7 @@ Options: + --lower is assumed with -h key, and --no-lower without -h key. + + --build-dir All f2py generated files are created in . +- Default is tempfile.mktemp(). ++ Default is tempfile.mkdtemp(). + + --overwrite-signature Overwrite existing signature file. + +@@ -424,7 +424,7 @@ def run_compile(): + del sys.argv[i] + else: + remove_build_dir = 1 +- build_dir = os.path.join(tempfile.mktemp()) ++ build_dir = tempfile.mkdtemp() + + _reg1 = re.compile(r'[-][-]link[-]') + sysinfo_flags = [_m for _m in sys.argv[1:] if _reg1.match(_m)] +commit 524b9eaa33ec67e34eb31a208e02bb934f778096 +Author: Julian Taylor +Date: Sat Feb 8 11:55:36 2014 +0100 + + TST: fix test_io.TestSavezLoad + +diff --git a/numpy/lib/tests/test_io.py b/numpy/lib/tests/test_io.py +index 2ee5c83..8995fad 100644 +--- a/numpy/lib/tests/test_io.py ++++ b/numpy/lib/tests/test_io.py +@@ -187,7 +187,7 @@ class TestSavezLoad(RoundtripTest, TestCase): + L = (1 << 31) + 100000 + a = np.empty(L, dtype=np.uint8) + with tempdir() as tmpdir: +- tmp = open(os.path.join(tmpdir, "file.npz"), "w") ++ tmp = os.path.join(tmpdir, "file.npz") + np.savez(tmp, a=a) + del a + npfile = np.load(tmp) +commit 8296aa0b911c036c984e23665ee0f7ddca579b91 +Author: Julian Taylor +Date: Sat Feb 8 13:40:26 2014 +0100 + + TST: clean up tempfile in test_closing_zipfile_after_load + +diff --git a/numpy/lib/tests/test_io.py b/numpy/lib/tests/test_io.py +index 2ee5c83..6aae3d2 100644 +--- a/numpy/lib/tests/test_io.py ++++ b/numpy/lib/tests/test_io.py +@@ -295,13 +295,14 @@ class TestSavezLoad(RoundtripTest, TestCase): + # Check that zipfile owns file and can close it. + # This needs to pass a file name to load for the + # test. +- fd, tmp = mkstemp(suffix='.npz') +- os.close(fd) +- np.savez(tmp, lab='place holder') +- data = np.load(tmp) +- fp = data.zip.fp +- data.close() +- assert_(fp.closed) ++ with tempdir() as tmpdir: ++ fd, tmp = mkstemp(suffix='.npz', dir=tmpdir) ++ os.close(fd) ++ np.savez(tmp, lab='place holder') ++ data = np.load(tmp) ++ fp = data.zip.fp ++ data.close() ++ assert_(fp.closed) + + + class TestSaveTxt(TestCase): -- cgit v1.2.3-54-g00ecf