From 307376c18b7c727d4a51f0503ba7f50f22f406ff Mon Sep 17 00:00:00 2001
From: icanhasmath <marcg@activestate.com>
Date: Mon, 8 Jun 2026 16:07:47 -0500
Subject: [PATCH 1/2] CVE-2021-41496 Bound the error message in f2py
 array_from_pyobj

array_from_pyobj() built its "must have defined dimensions" error string by
strcpy-ing a fixed prefix into a 200-byte stack buffer `mess` and then
sprintf-ing each of up to F2PY_MAX_DIMS (40) dimension values into it in a
loop, followed by a strcat. With enough negative dimensions this overflows
the fixed stack buffer (CVE-2021-41496 / GHSA-f7c7-j99h-c22f; local DoS).

Port the upstream fix (numpy/numpy 271010f1037150e9, PR #20630, closes
gh-19000): replace count_negative_dimensions() with
find_first_negative_dimension() and emit the error via a single bounded
PyErr_Format() reporting the first offending dimension, removing the
unbounded strcpy/sprintf-loop/strcat.

Kept a C89-style loop-variable declaration (this fork targets older MSVC; cf.
the CVE-2021-41495 compiler-compat fixups) and verified declaration-after-
statement clean. PyErr_Format and NPY_INTP_FMT are available in 1.16.6.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 numpy/f2py/src/fortranobject.c | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/numpy/f2py/src/fortranobject.c b/numpy/f2py/src/fortranobject.c
index 4a981bf558ab..ae4145b0497a 100644
--- a/numpy/f2py/src/fortranobject.c
+++ b/numpy/f2py/src/fortranobject.c
@@ -595,14 +595,15 @@ static int check_and_fix_dimensions(const PyArrayObject* arr,
                                     npy_intp *dims);
 
 static int
-count_negative_dimensions(const int rank,
-                          const npy_intp *dims) {
-    int i=0,r=0;
-    while (i<rank) {
-        if (dims[i] < 0) ++r;
-        ++i;
+find_first_negative_dimension(const int rank,
+                              const npy_intp *dims) {
+    int i;
+    for (i = 0; i < rank; ++i) {
+        if (dims[i] < 0) {
+            return i;
+        }
     }
-    return r;
+    return -1;
 }
 
 #ifdef DEBUG_COPY_ND_ARRAY
@@ -679,14 +680,12 @@ PyArrayObject* array_from_pyobj(const int type_num,
         || ((intent & F2PY_OPTIONAL) && (obj==Py_None))
         ) {
         /* intent(cache), optional, intent(hide) */
-        if (count_negative_dimensions(rank,dims) > 0) {
-            int i;
-            strcpy(mess, "failed to create intent(cache|hide)|optional array"
-                   "-- must have defined dimensions but got (");
-            for(i=0;i<rank;++i)
-                sprintf(mess+strlen(mess),"%" NPY_INTP_FMT ",",dims[i]);
-            strcat(mess, ")");
-            PyErr_SetString(PyExc_ValueError,mess);
+        int i = find_first_negative_dimension(rank, dims);
+        if (i >= 0) {
+            PyErr_Format(PyExc_ValueError,
+                         "failed to create intent(cache|hide)|optional array"
+                         " -- must have defined dimensions, but dims[%d] = %"
+                         NPY_INTP_FMT, i, dims[i]);
             return NULL;
         }
         arr = (PyArrayObject *)

From b5b964dedf7b5bbfb1cb1293813838a295b1a1ee Mon Sep 17 00:00:00 2001
From: icanhasmath <marcg@activestate.com>
Date: Mon, 8 Jun 2026 16:09:30 -0500
Subject: [PATCH 2/2] Release NumPy 1.16.6+security.2 (CVE-2021-41496)

ActiveState security release on the 1.16.6 line, backporting the
CVE-2021-41496 fix in f2py array_from_pyobj.

- Bump the version to the PEP 440 local form 1.16.6+security.2 in setup.py so
  the installed package self-reports the security level (N counts AS security
  releases on this line; 1.16.6.1 == security.1). Verified NumpyVersion()
  tolerates the +local label (its leading-version regex is unanchored).
- Add doc/release/1.16.6+security.2-notes.rst and the matching changelog,
  recording the CVE-2021-41496 fix plus the two advisories assessed as not
  applicable (CVE-2021-33430 already mitigated here; CVE-2021-34141 disputed,
  no security impact / no upstream fix).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 doc/changelog/1.16.6+security.2-changelog.rst | 15 +++++
 doc/release/1.16.6+security.2-notes.rst       | 61 +++++++++++++++++++
 setup.py                                      |  4 ++
 3 files changed, 80 insertions(+)
 create mode 100644 doc/changelog/1.16.6+security.2-changelog.rst
 create mode 100644 doc/release/1.16.6+security.2-notes.rst

diff --git a/doc/changelog/1.16.6+security.2-changelog.rst b/doc/changelog/1.16.6+security.2-changelog.rst
new file mode 100644
index 000000000000..f20c499dadc2
--- /dev/null
+++ b/doc/changelog/1.16.6+security.2-changelog.rst
@@ -0,0 +1,15 @@
+
+Contributors
+============
+
+A total of 1 person contributed to this release.
+
+* Warren Weckesser
+
+
+Pull requests merged
+====================
+
+A total of 1 pull request was merged for this release.
+
+* `#20630 <https://github.com/numpy/numpy/pull/20630>`__: BUG: f2py: Simplify creation of an exception message. Closes gh-19000.
diff --git a/doc/release/1.16.6+security.2-notes.rst b/doc/release/1.16.6+security.2-notes.rst
new file mode 100644
index 000000000000..2c152926c079
--- /dev/null
+++ b/doc/release/1.16.6+security.2-notes.rst
@@ -0,0 +1,61 @@
+==================================
+NumPy 1.16.6+security.2 Release Notes
+==================================
+
+The NumPy 1.16.6+security.2 release backports a CVE fix for the f2py
+``array_from_pyobj`` function. It is an ActiveState security release on the
+1.16.6 line (the prior security release, tagged 1.16.6.1, is treated as
+``+security.1``).
+
+Downstream developers building this release should use Cython >= 0.29.2 and, if
+using OpenBLAS, OpenBLAS >= v0.3.7. The supported Python versions are 2.7 and
+3.5-3.7.
+
+- Deal with CVE-2021-41496
+
+Two further advisories were assessed for this release and found not to require
+a code change (both are documented for tracking purposes):
+
+- CVE-2021-33430 (GHSA-6p56-wp2h-9hxr) -- the ``PyArray_NewFromDescr_int``
+  stack-buffer bounds check is already present in this line ahead of the
+  ``descr->subarray`` ``memcpy``; not applicable.
+- CVE-2021-34141 (GHSA-fpfv-jqm9-f5jm) -- disputed; the deprecated
+  Numeric-style typecode comparison only affects a ``DeprecationWarning``, not
+  the resolved dtype, so there is no security impact and no upstream fix to
+  backport.
+
+Highlights
+==========
+
+- Fix for CVE-2021-41496: a stack buffer overflow in the f2py
+  ``array_from_pyobj`` error path when an intent(cache|hide)|optional array is
+  passed negative dimensions. Backported from numpy/numpy PR #20630
+  (commit 271010f1037150e9, closes gh-19000).
+
+
+New functions
+=============
+
+
+Compatibility notes
+===================
+
+
+Improvements
+============
+
+
+Contributors
+============
+
+A total of 1 person contributed to this release.
+
+* Warren Weckesser
+
+
+Pull requests merged
+====================
+
+A total of 1 pull request was merged for this release.
+
+* `#20630 <https://github.com/numpy/numpy/pull/20630>`__: BUG: f2py: Simplify creation of an exception message. Closes gh-19000.
diff --git a/setup.py b/setup.py
index 954668236cdb..d4560d003b35 100755
--- a/setup.py
+++ b/setup.py
@@ -64,6 +64,10 @@
 MICRO               = 6
 ISRELEASED          = True
 VERSION             = '%d.%d.%d' % (MAJOR, MINOR, MICRO)
+# ActiveState security release: PEP 440 local version label. N counts the
+# ActiveState security releases on this line (1.16.6.1 was security.1).
+AS_SECURITY         = '+security.2'
+VERSION             = VERSION + AS_SECURITY
 
 
 # Return the git revision as a string