Version in base suite: 2022.11.7+dfsg1-11 Base version: pymatgen_2022.11.7+dfsg1-11 Target version: pymatgen_2022.11.7+dfsg1-11+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pymatgen/pymatgen_2022.11.7+dfsg1-11.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pymatgen/pymatgen_2022.11.7+dfsg1-11+deb12u1.dsc changelog | 6 +++++ patches/CVE-2024-23346.patch | 50 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 57 insertions(+) diff -Nru pymatgen-2022.11.7+dfsg1/debian/changelog pymatgen-2022.11.7+dfsg1/debian/changelog --- pymatgen-2022.11.7+dfsg1/debian/changelog 2023-02-26 13:09:26.000000000 +0000 +++ pymatgen-2022.11.7+dfsg1/debian/changelog 2024-08-28 13:15:13.000000000 +0000 @@ -1,3 +1,9 @@ +pymatgen (2022.11.7+dfsg1-11+deb12u1) bookworm-security; urgency=medium + + * CVE-2024-23346 (Closes: #1064514) + + -- Moritz Mühlenhoff Wed, 28 Aug 2024 15:15:13 +0200 + pymatgen (2022.11.7+dfsg1-11) unstable; urgency=medium * debian/tests: run tests verbose to help identify tests that timeout diff -Nru pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2024-23346.patch pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2024-23346.patch --- pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2024-23346.patch 1970-01-01 00:00:00.000000000 +0000 +++ pymatgen-2022.11.7+dfsg1/debian/patches/CVE-2024-23346.patch 2024-04-05 13:52:35.000000000 +0000 @@ -0,0 +1,50 @@ +From c231cbd3d5147ee920a37b6ee9dd236b376bcf5a Mon Sep 17 00:00:00 2001 +From: Matthew Horton +Date: Sun, 11 Feb 2024 18:03:53 -0800 +Subject: [PATCH] Update `JonesFaithfulTransformation` to use sympy + +To address CVE-2024-23346 + +--- pymatgen-2022.11.7+dfsg1.orig/pymatgen/symmetry/settings.py ++++ pymatgen-2022.11.7+dfsg1/pymatgen/symmetry/settings.py +@@ -11,6 +11,8 @@ import re + from fractions import Fraction + + import numpy as np ++from sympy import Matrix ++from sympy.parsing.sympy_parser import parse_expr + + from pymatgen.core.lattice import Lattice + from pymatgen.core.operations import MagSymmOp, SymmOp +@@ -115,16 +117,23 @@ class JonesFaithfulTransformation: + ) + for x in basis_change + ] +- # should be fine to use eval here but be mindful for security +- # reasons +- # see http://lybniz2.sourceforge.net/safeeval.html +- # could replace with regex? or sympy expression? +- P = np.array([eval(x, {"__builtins__": None}, {"a": a, "b": b, "c": c}) for x in basis_change]) +- P = P.transpose() # by convention ++ ++ # basic input sanitation ++ allowed_chars = "0123456789+-*/.abc()" ++ basis_change = ["".join([c for c in string if c in allowed_chars]) for string in basis_change] ++ ++ # requires round-trip to sympy to evaluate ++ # (alternatively, `numexpr` looks like a nice solution but requires an additional dependency) ++ basis_change = [ ++ parse_expr(string).subs({"a": Matrix(a), "b": Matrix(b), "c": Matrix(c)}) for string in basis_change ++ ] ++ # convert back to numpy, perform transpose by convention ++ P = np.array(basis_change, dtype=float).T[0] ++ + p = [float(Fraction(x)) for x in origin_shift] + return P, p +- except Exception: +- raise ValueError("Failed to parse transformation string.") ++ except Exception as exc: ++ raise ValueError(f"Failed to parse transformation string: {exc}") + + @property + def P(self) -> list[list[float]]: diff -Nru pymatgen-2022.11.7+dfsg1/debian/patches/series pymatgen-2022.11.7+dfsg1/debian/patches/series --- pymatgen-2022.11.7+dfsg1/debian/patches/series 2023-02-26 13:09:26.000000000 +0000 +++ pymatgen-2022.11.7+dfsg1/debian/patches/series 2024-04-05 13:51:58.000000000 +0000 @@ -11,3 +11,4 @@ fix_phonon_bandstructures_7ba41e0.patch stress_fp_approx_2839.patch no_mp_api.patch +CVE-2024-23346.patch