Headline
CVE-2022-21797: FIX make sure pre_dispatch cannot do arbitrary code execution (#1321) · joblib/joblib@b90f10e
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
@@ -504,7 +504,9 @@ class Parallel(Logger): pre_dispatch: {’all’, integer, or expression, as in '3*n_jobs’} The number of batches (of tasks) to be pre-dispatched. Default is '2*n_jobs’. When batch_size="auto" this is reasonable default and the workers should never starve. default and the workers should never starve. Note that only basic arithmetics are allowed here and no modules can be used in this expression. batch_size: int or 'auto’, default: ‘auto’ The number of atomic tasks to dispatch at once to each worker. When individual evaluations are very fast, dispatching @@ -1049,7 +1051,11 @@ def _batched_calls_reducer_callback(): else: self._original_iterator = iterator if hasattr(pre_dispatch, ‘endswith’): pre_dispatch = eval(pre_dispatch) pre_dispatch = eval( pre_dispatch, {"n_jobs": n_jobs, "__builtins__": {}}, # globals {} # locals ) self._pre_dispatch_amount = pre_dispatch = int(pre_dispatch)
# The main thread will consume the first pre_dispatch items and
Related news
Gentoo Linux Security Advisory 202401-1 - A vulnerability has been found in Joblib which allows for arbitrary code execution. Versions greater than or equal to 1.2.0 are affected.
The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the `pre_dispatch` flag in `Parallel()` class due to the `eval()` statement.