[Deb-scipy-devel] Bug#416677: python-numpy: array indexing memory corruption

[Elrond]

Package: python-numpy
Version: 1:1.0.1-1
Severity: important

Hi,

The following should be obvious enough:

	bug-thingies$ cat crash2.py
	from numpy import array
	sel = array([False,True])
	p1 = array([11.])
	p1[sel] = p1
	bug-thingies$ python crash2.py
	*** glibc detected *** free(): invalid next size (fast): 0x081f6938 ***
	Aborted

Note: Yes, I'm fully aware of the fact, that the above
      python program is bad/wrong code!
      Nevertheless, it should not crash like this.
      It really should give an exception.

I have set the severity to important, as this bug could
have security implications. At least, with the following
assumptions:

1) The arrays could have been read from (untrusted) data
   files.
   Note: They only contain data, nothing more, one should
   not assume, that this data comes from a trusted source!

2) The glibc issue really means some memory corruption, so
   if the above (malicous) data would be constructed with
   more care, an exploit might be possible.

I leave tagging as RC/security to the maintainers or other
interested parties.


    Elrond


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Versions of packages python-numpy depends on:
ii  atlas3-base [liblapack.so.3 3.6.0-20.6   Automatically Tuned Linear Algebra
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libg2c0                     1:3.4.6-5    Runtime library for GNU Fortran 77
ii  libgcc1                     1:4.1.1-21   GCC support library
ii  python                      2.4.4-2      An interactive high-level object-o
ii  python-central              0.5.12       register and build utility for Pyt