Version in base suite: 0.17.0-4

Base version: joblib_0.17.0-4
Target version: joblib_0.17.0-4+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/joblib/joblib_0.17.0-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/j/joblib/joblib_0.17.0-4+deb11u1.dsc

 changelog                    |    7 ++
 patches/CVE-2022-21797.patch |  121 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 129 insertions(+)

diff -Nru joblib-0.17.0/debian/changelog joblib-0.17.0/debian/changelog
--- joblib-0.17.0/debian/changelog	2021-06-12 08:19:09.000000000 +0000
+++ joblib-0.17.0/debian/changelog	2023-03-27 13:25:19.000000000 +0000
@@ -1,3 +1,10 @@
+joblib (0.17.0-4+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2022-21797 (Closes: #1020820)
+
+ -- Helmut Grohne <helmut@subdivi.de>  Mon, 27 Mar 2023 15:25:19 +0200
+
 joblib (0.17.0-4) unstable; urgency=medium
 
   * Team upload
diff -Nru joblib-0.17.0/debian/patches/CVE-2022-21797.patch joblib-0.17.0/debian/patches/CVE-2022-21797.patch
--- joblib-0.17.0/debian/patches/CVE-2022-21797.patch	1970-01-01 00:00:00.000000000 +0000
+++ joblib-0.17.0/debian/patches/CVE-2022-21797.patch	2023-03-27 13:25:08.000000000 +0000
@@ -0,0 +1,121 @@
+From 54f4d21f098591c77b48c9acfffaa4cf0a45282b Mon Sep 17 00:00:00 2001
+From: Adrin Jalali <adrin.jalali@gmail.com>
+Date: Mon, 12 Sep 2022 17:17:28 +0200
+Subject: [PATCH] FIX parse pre-dispatch with AST instead of calling eval
+ (#1327)
+
+---
+ CHANGES.rst               |  2 +-
+ joblib/_utils.py          | 44 +++++++++++++++++++++++++++++++++++++++
+ joblib/parallel.py        |  7 +++----
+ joblib/test/test_utils.py | 27 ++++++++++++++++++++++++
+ 4 files changed, 75 insertions(+), 5 deletions(-)
+ create mode 100644 joblib/_utils.py
+ create mode 100644 joblib/test/test_utils.py
+
+diff --git a/joblib/_utils.py b/joblib/_utils.py
+new file mode 100644
+index 000000000..2dbd4f636
+--- /dev/null
++++ b/joblib/_utils.py
+@@ -0,0 +1,44 @@
++# Adapted from https://stackoverflow.com/a/9558001/2536294
++
++import ast
++import operator as op
++
++# supported operators
++operators = {
++    ast.Add: op.add,
++    ast.Sub: op.sub,
++    ast.Mult: op.mul,
++    ast.Div: op.truediv,
++    ast.FloorDiv: op.floordiv,
++    ast.Mod: op.mod,
++    ast.Pow: op.pow,
++    ast.USub: op.neg,
++}
++
++
++def eval_expr(expr):
++    """
++    >>> eval_expr('2*6')
++    12
++    >>> eval_expr('2**6')
++    64
++    >>> eval_expr('1 + 2*3**(4) / (6 + -7)')
++    -161.0
++    """
++    try:
++        return eval_(ast.parse(expr, mode="eval").body)
++    except (TypeError, SyntaxError, KeyError) as e:
++        raise ValueError(
++            f"{expr!r} is not a valid or supported arithmetic expression."
++        ) from e
++
++
++def eval_(node):
++    if isinstance(node, ast.Num):  # <number>
++        return node.n
++    elif isinstance(node, ast.BinOp):  # <left> <operator> <right>
++        return operators[type(node.op)](eval_(node.left), eval_(node.right))
++    elif isinstance(node, ast.UnaryOp):  # <operator> <operand> e.g., -1
++        return operators[type(node.op)](eval_(node.operand))
++    else:
++        raise TypeError(node)
+diff --git a/joblib/parallel.py b/joblib/parallel.py
+index 1c2fe18f7..6e7b1b19a 100644
+--- a/joblib/parallel.py
++++ b/joblib/parallel.py
+@@ -27,6 +27,7 @@
+                                  LokyBackend)
+ from .externals.cloudpickle import dumps, loads
+ from .externals import loky
++from ._utils import eval_expr
+ 
+ # Make sure that those two classes are part of the public joblib.parallel API
+ # so that 3rd party backend implementers can import them from here.
+@@ -1051,7 +1052,9 @@ def _batched_calls_reducer_callback():
+         else:
+             self._original_iterator = iterator
+             if hasattr(pre_dispatch, 'endswith'):
+-                pre_dispatch = eval(pre_dispatch)
++                pre_dispatch = eval_expr(
++                    pre_dispatch.replace("n_jobs", str(n_jobs))
++                )
+             self._pre_dispatch_amount = pre_dispatch = int(pre_dispatch)
+ 
+             # The main thread will consume the first pre_dispatch items and
+diff --git a/joblib/test/test_utils.py b/joblib/test/test_utils.py
+new file mode 100644
+index 000000000..4999a212c
+--- /dev/null
++++ b/joblib/test/test_utils.py
+@@ -0,0 +1,27 @@
++import pytest
++
++from joblib._utils import eval_expr
++
++
++@pytest.mark.parametrize(
++    "expr",
++    ["exec('import os')", "print(1)", "import os", "1+1; import os", "1^1"],
++)
++def test_eval_expr_invalid(expr):
++    with pytest.raises(
++        ValueError, match="is not a valid or supported arithmetic"
++    ):
++        eval_expr(expr)
++
++
++@pytest.mark.parametrize(
++    "expr, result",
++    [
++        ("2*6", 12),
++        ("2**6", 64),
++        ("1 + 2*3**(4) / (6 + -7)", -161.0),
++        ("(20 // 3) % 5", 1),
++    ],
++)
++def test_eval_expr_valid(expr, result):
++    assert eval_expr(expr) == result
diff -Nru joblib-0.17.0/debian/patches/series joblib-0.17.0/debian/patches/series
--- joblib-0.17.0/debian/patches/series	2021-05-05 10:10:28.000000000 +0000
+++ joblib-0.17.0/debian/patches/series	2023-03-27 13:25:08.000000000 +0000
@@ -2,3 +2,4 @@
 deb_collect_ignore_setup
 deb_test_memory
 big-endian.patch
+CVE-2022-21797.patch