Numpy fails safety

[shernshiou]

Refering to 07b8fe9#diff-3c561b12084d50ebca9e164979f7df4921085ae29a71bf4e4f4ee1c5f14ae9b5R3827

Can I know what is wrong with numpy? Can I know why is numpy > 0 fails the safety check.

    "numpy": [
        "<=1.16.0",
        ">=1.9.0,<=1.9.3"
        "<1.13.2",
        "<1.16.3",
        "<1.21.0",
        "<1.22.0",
        "<1.8.1",
        ">0"
    ],

[WlodekLipski]

Seems like the list of affected version isn't sorted and the safety parser doesn't recognize affected version properly.

Just a thought, as experience the same problem here.

[jamiesandenr]

According to data/insecure_full.json the problem is:

All versions of Numpy are affected by CVE-2021-41495: A null Pointer Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays. numpy/numpy#19038

[SCH227]

Good day!
CVE-2021-41495 for NumPy hasn't been fixed yet in any release. See here: numpy/numpy#19038
Note that in the same thread, NumPy devs argue about the validity and correct severity of this issue.
To be on the security side, we chose to report this as a possible vulnerability so users of NumPy can take the best informed decision considering their use-case.