commit: 1b1b577bb33b34295e8cad2294c5486ee50200cf Author: Alfredo Tupone <tupone <AT> gentoo <DOT> org> AuthorDate: Wed Nov 30 18:12:11 2022 +0000 Commit: Alfredo Tupone <tupone <AT> gentoo <DOT> org> CommitDate: Wed Nov 30 18:13:03 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b1b577b
sci-libs/pytorch: fix CVE-2022-45907 Bug: https://bugs.gentoo.org/883381 Signed-off-by: Alfredo Tupone <tupone <AT> gentoo.org> sci-libs/pytorch/Manifest | 1 - .../files/pytorch-1.12.0-CVE-2022-45907.patch | 59 ++++++++++++++++++++++ sci-libs/pytorch/metadata.xml | 11 ---- sci-libs/pytorch/pytorch-1.11.0.ebuild | 58 --------------------- ...orch-1.12.0.ebuild => pytorch-1.12.0-r1.ebuild} | 3 +- 5 files changed, 61 insertions(+), 71 deletions(-) diff --git a/sci-libs/pytorch/Manifest b/sci-libs/pytorch/Manifest index 0d28654e641f..013309cd70ce 100644 --- a/sci-libs/pytorch/Manifest +++ b/sci-libs/pytorch/Manifest @@ -1,2 +1 @@ -DIST pytorch-1.11.0.tar.gz 20719323 BLAKE2B 24e7aaa2c26821d36f8092542de9d8d5ac85a619fb9fffb5131987958842afb1cad395780662d15f3411a7cc6ff83a445871960eca1e469fcbf0b9895d83d6e0 SHA512 2342eb7a1a241f5855a7cf12e11f62bc4baaa78d1d0864e53bfc946e783eb4addd05ca154a814d2376cd602098b5547e61c158d6eddb7cad5a9f3b0c1357adca DIST pytorch-1.12.0.tar.gz 106286765 BLAKE2B ff9bafedb35f859f7dccb9b606299cf9c345bdaa0deb87ecfe0c0c30c3c828414d989e1d9a243d9b7cd3f376d56a2f81c241ca2e3c9a8a2b30cddcdeddd3a5c7 SHA512 c9c748a2e0047daaaf199a1ba3198d2d1aee47f664170a9b34ccacd3deeb95f2070e4035eeb900012ef48dc62cf6fb6806f1a1dfe22de8c94892963076e593b7 diff --git a/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch new file mode 100644 index 000000000000..085b6d9ca1bb --- /dev/null +++ b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch @@ -0,0 +1,59 @@ +From 78cad998e505b667d25ac42f8aaa24409f5031e1 Mon Sep 17 00:00:00 2001 +From: Nikita Shulga <nshu...@meta.com> +Date: Thu, 17 Nov 2022 22:05:27 +0000 +Subject: [PATCH] [JIT][Security] Do not blindly eval input string (#89189) + +Introduce `_eval_no_call` method, that evaluates statement only if it +does not contain any calls(done by examining the bytecode), thus preventing command injection exploit + +Added simple unit test to check for that +`torch.jit.annotations.get_signature` would not result in calling random +code. + +Although, this code path exists for Python-2 compatibility, and perhaps +should be simply removed. + +diff --git a/torch/jit/annotations.py b/torch/jit/annotations.py +index a4a36ce36a5e8..a6ff2d04d2076 100644 +--- a/torch/jit/annotations.py ++++ b/torch/jit/annotations.py +@@ -1,4 +1,5 @@ + import ast ++import dis + import enum + import inspect + import re +@@ -144,6 +145,15 @@ def check_fn(fn, loc): + raise torch.jit.frontend.FrontendError(loc, "Expected a single top-level function") + + ++def _eval_no_call(stmt, glob, loc): ++ """Evaluate statement as long as it does not contain any method/function calls""" ++ bytecode = compile(stmt, "", mode="eval") ++ for insn in dis.get_instructions(bytecode): ++ if "CALL" in insn.opname: ++ raise RuntimeError(f"Type annotation should not contain calls, but '{stmt}' does") ++ return eval(bytecode, glob, loc) # type: ignore[arg-type] # noqa: P204 ++ ++ + def parse_type_line(type_line, rcb, loc): + """Parses a type annotation specified as a comment. + +@@ -154,7 +164,7 @@ def parse_type_line(type_line, rcb, loc): + arg_ann_str, ret_ann_str = split_type_line(type_line) + + try: +- arg_ann = eval(arg_ann_str, {}, EvalEnv(rcb)) # type: ignore[arg-type] # noqa: P204 ++ arg_ann = _eval_no_call(arg_ann_str, {}, EvalEnv(rcb)) + except (NameError, SyntaxError) as e: + raise RuntimeError("Failed to parse the argument list of a type annotation") from e + +@@ -162,7 +172,7 @@ def parse_type_line(type_line, rcb, loc): + arg_ann = (arg_ann,) + + try: +- ret_ann = eval(ret_ann_str, {}, EvalEnv(rcb)) # type: ignore[arg-type] # noqa: P204 ++ ret_ann = _eval_no_call(ret_ann_str, {}, EvalEnv(rcb)) + except (NameError, SyntaxError) as e: + raise RuntimeError("Failed to parse the return type of a type annotation") from e + diff --git a/sci-libs/pytorch/metadata.xml b/sci-libs/pytorch/metadata.xml index bc2785e5f6db..d12749aa5c21 100644 --- a/sci-libs/pytorch/metadata.xml +++ b/sci-libs/pytorch/metadata.xml @@ -5,17 +5,6 @@ <email>tup...@gentoo.org</email> <name>Tupone Alfredo</name> </maintainer> - <use> - <flag name="cuda">Add support for CUDA processing</flag> - <flag name="ffmpeg">Add support for video processing operators</flag> - <flag name="nnpack">Use NNPACK</flag> - <flag name="numpy">Add support for math operations through numpy</flag> - <flag name="opencl">Use OpenCL</flag> - <flag name="opencv">Add support for image processing operators</flag> - <flag name="openmp">Use OpenMP for parallel code</flag> - <flag name="qnnpack">Use QNNPACK</flag> - <flag name="xnnpack">Use XNNPACK</flag> - </use> <upstream> <remote-id type="github">pytorch/pytorch</remote-id> </upstream> diff --git a/sci-libs/pytorch/pytorch-1.11.0.ebuild b/sci-libs/pytorch/pytorch-1.11.0.ebuild deleted file mode 100644 index 401bdea8264a..000000000000 --- a/sci-libs/pytorch/pytorch-1.11.0.ebuild +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{8,9,10} ) -inherit distutils-r1 - -DESCRIPTION="Tensors and Dynamic neural networks in Python" -HOMEPAGE="https://pytorch.org/"; -SRC_URI="https://github.com/pytorch/${PN}/archive/refs/tags/v${PV}.tar.gz - -> ${P}.tar.gz" - -LICENSE="BSD" -SLOT="0" -KEYWORDS="~amd64" -RESTRICT="test" -IUSE="cuda ffmpeg nnpack +numpy opencl opencv openmp qnnpack xnnpack" - -REQUIRED_USE=${PYTHON_REQUIRED_USE} -RDEPEND=" - ${PYTHON_DEPS} - ~sci-libs/caffe2-${PV}[${PYTHON_USEDEP}] - sci-libs/caffe2[cuda?,ffmpeg?,nnpack?,numpy?,opencl?,opencv?,openmp?,qnnpack?,xnnpack?] - dev-python/typing-extensions[${PYTHON_USEDEP}] -" -DEPEND="${RDEPEND} - dev-python/pyyaml[${PYTHON_USEDEP}] -" - -src_prepare() { - eapply \ - "${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \ - "${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \ - "${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \ - "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch - - # Set build dir for pytorch's setup - sed -i \ - -e "/BUILD_DIR/s|build|/var/lib/caffe2/|" \ - tools/setup_helpers/env.py \ - || die - distutils-r1_src_prepare -} - -src_compile() { - PYTORCH_BUILD_VERSION=${PV} \ - PYTORCH_BUILD_NUMBER=0 \ - USE_SYSTEM_LIBS=ON \ - CMAKE_BUILD_DIR="${BUILD_DIR}" \ - BUILD_DIR= \ - distutils-r1_src_compile -} - -src_install() { - USE_SYSTEM_LIBS=ON distutils-r1_src_install -} diff --git a/sci-libs/pytorch/pytorch-1.12.0.ebuild b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild similarity index 92% rename from sci-libs/pytorch/pytorch-1.12.0.ebuild rename to sci-libs/pytorch/pytorch-1.12.0-r1.ebuild index 0a1cae78f4bb..02fa58c7ba75 100644 --- a/sci-libs/pytorch/pytorch-1.12.0.ebuild +++ b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild @@ -32,7 +32,8 @@ src_prepare() { "${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \ "${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \ "${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \ - "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch + "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch \ + "${FILESDIR}"/pytorch-1.12.0-CVE-2022-45907.patch # Set build dir for pytorch's setup sed -i \
