summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlfredo Tupone <tupone@gentoo.org>2022-11-30 19:12:11 +0100
committerAlfredo Tupone <tupone@gentoo.org>2022-11-30 19:13:03 +0100
commit1b1b577bb33b34295e8cad2294c5486ee50200cf (patch)
tree446bd42c95439694ee1782324ce92f950cca7014
parentsys-libs/libvpd: drop 2.2.8-r1 (diff)
downloadgentoo-1b1b577bb33b34295e8cad2294c5486ee50200cf.tar.gz
gentoo-1b1b577bb33b34295e8cad2294c5486ee50200cf.tar.bz2
gentoo-1b1b577bb33b34295e8cad2294c5486ee50200cf.zip
sci-libs/pytorch: fix CVE-2022-45907
Bug: https://bugs.gentoo.org/883381 Signed-off-by: Alfredo Tupone <tupone@gentoo.org>
-rw-r--r--sci-libs/pytorch/Manifest1
-rw-r--r--sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch59
-rw-r--r--sci-libs/pytorch/metadata.xml11
-rw-r--r--sci-libs/pytorch/pytorch-1.11.0.ebuild58
-rw-r--r--sci-libs/pytorch/pytorch-1.12.0-r1.ebuild (renamed from sci-libs/pytorch/pytorch-1.12.0.ebuild)3
5 files changed, 61 insertions, 71 deletions
diff --git a/sci-libs/pytorch/Manifest b/sci-libs/pytorch/Manifest
index 0d28654e641f..013309cd70ce 100644
--- a/sci-libs/pytorch/Manifest
+++ b/sci-libs/pytorch/Manifest
@@ -1,2 +1 @@
-DIST pytorch-1.11.0.tar.gz 20719323 BLAKE2B 24e7aaa2c26821d36f8092542de9d8d5ac85a619fb9fffb5131987958842afb1cad395780662d15f3411a7cc6ff83a445871960eca1e469fcbf0b9895d83d6e0 SHA512 2342eb7a1a241f5855a7cf12e11f62bc4baaa78d1d0864e53bfc946e783eb4addd05ca154a814d2376cd602098b5547e61c158d6eddb7cad5a9f3b0c1357adca
DIST pytorch-1.12.0.tar.gz 106286765 BLAKE2B ff9bafedb35f859f7dccb9b606299cf9c345bdaa0deb87ecfe0c0c30c3c828414d989e1d9a243d9b7cd3f376d56a2f81c241ca2e3c9a8a2b30cddcdeddd3a5c7 SHA512 c9c748a2e0047daaaf199a1ba3198d2d1aee47f664170a9b34ccacd3deeb95f2070e4035eeb900012ef48dc62cf6fb6806f1a1dfe22de8c94892963076e593b7
diff --git a/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch
new file mode 100644
index 000000000000..085b6d9ca1bb
--- /dev/null
+++ b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch
@@ -0,0 +1,59 @@
+From 78cad998e505b667d25ac42f8aaa24409f5031e1 Mon Sep 17 00:00:00 2001
+From: Nikita Shulga <nshulga@meta.com>
+Date: Thu, 17 Nov 2022 22:05:27 +0000
+Subject: [PATCH] [JIT][Security] Do not blindly eval input string (#89189)
+
+Introduce `_eval_no_call` method, that evaluates statement only if it
+does not contain any calls(done by examining the bytecode), thus preventing command injection exploit
+
+Added simple unit test to check for that
+`torch.jit.annotations.get_signature` would not result in calling random
+code.
+
+Although, this code path exists for Python-2 compatibility, and perhaps
+should be simply removed.
+
+diff --git a/torch/jit/annotations.py b/torch/jit/annotations.py
+index a4a36ce36a5e8..a6ff2d04d2076 100644
+--- a/torch/jit/annotations.py
++++ b/torch/jit/annotations.py
+@@ -1,4 +1,5 @@
+ import ast
++import dis
+ import enum
+ import inspect
+ import re
+@@ -144,6 +145,15 @@ def check_fn(fn, loc):
+ raise torch.jit.frontend.FrontendError(loc, "Expected a single top-level function")
+
+
++def _eval_no_call(stmt, glob, loc):
++ """Evaluate statement as long as it does not contain any method/function calls"""
++ bytecode = compile(stmt, "", mode="eval")
++ for insn in dis.get_instructions(bytecode):
++ if "CALL" in insn.opname:
++ raise RuntimeError(f"Type annotation should not contain calls, but '{stmt}' does")
++ return eval(bytecode, glob, loc) # type: ignore[arg-type] # noqa: P204
++
++
+ def parse_type_line(type_line, rcb, loc):
+ """Parses a type annotation specified as a comment.
+
+@@ -154,7 +164,7 @@ def parse_type_line(type_line, rcb, loc):
+ arg_ann_str, ret_ann_str = split_type_line(type_line)
+
+ try:
+- arg_ann = eval(arg_ann_str, {}, EvalEnv(rcb)) # type: ignore[arg-type] # noqa: P204
++ arg_ann = _eval_no_call(arg_ann_str, {}, EvalEnv(rcb))
+ except (NameError, SyntaxError) as e:
+ raise RuntimeError("Failed to parse the argument list of a type annotation") from e
+
+@@ -162,7 +172,7 @@ def parse_type_line(type_line, rcb, loc):
+ arg_ann = (arg_ann,)
+
+ try:
+- ret_ann = eval(ret_ann_str, {}, EvalEnv(rcb)) # type: ignore[arg-type] # noqa: P204
++ ret_ann = _eval_no_call(ret_ann_str, {}, EvalEnv(rcb))
+ except (NameError, SyntaxError) as e:
+ raise RuntimeError("Failed to parse the return type of a type annotation") from e
+
diff --git a/sci-libs/pytorch/metadata.xml b/sci-libs/pytorch/metadata.xml
index bc2785e5f6db..d12749aa5c21 100644
--- a/sci-libs/pytorch/metadata.xml
+++ b/sci-libs/pytorch/metadata.xml
@@ -5,17 +5,6 @@
<email>tupone@gentoo.org</email>
<name>Tupone Alfredo</name>
</maintainer>
- <use>
- <flag name="cuda">Add support for CUDA processing</flag>
- <flag name="ffmpeg">Add support for video processing operators</flag>
- <flag name="nnpack">Use NNPACK</flag>
- <flag name="numpy">Add support for math operations through numpy</flag>
- <flag name="opencl">Use OpenCL</flag>
- <flag name="opencv">Add support for image processing operators</flag>
- <flag name="openmp">Use OpenMP for parallel code</flag>
- <flag name="qnnpack">Use QNNPACK</flag>
- <flag name="xnnpack">Use XNNPACK</flag>
- </use>
<upstream>
<remote-id type="github">pytorch/pytorch</remote-id>
</upstream>
diff --git a/sci-libs/pytorch/pytorch-1.11.0.ebuild b/sci-libs/pytorch/pytorch-1.11.0.ebuild
deleted file mode 100644
index 401bdea8264a..000000000000
--- a/sci-libs/pytorch/pytorch-1.11.0.ebuild
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright 2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DISTUTILS_USE_PEP517=setuptools
-PYTHON_COMPAT=( python3_{8,9,10} )
-inherit distutils-r1
-
-DESCRIPTION="Tensors and Dynamic neural networks in Python"
-HOMEPAGE="https://pytorch.org/"
-SRC_URI="https://github.com/pytorch/${PN}/archive/refs/tags/v${PV}.tar.gz
- -> ${P}.tar.gz"
-
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="~amd64"
-RESTRICT="test"
-IUSE="cuda ffmpeg nnpack +numpy opencl opencv openmp qnnpack xnnpack"
-
-REQUIRED_USE=${PYTHON_REQUIRED_USE}
-RDEPEND="
- ${PYTHON_DEPS}
- ~sci-libs/caffe2-${PV}[${PYTHON_USEDEP}]
- sci-libs/caffe2[cuda?,ffmpeg?,nnpack?,numpy?,opencl?,opencv?,openmp?,qnnpack?,xnnpack?]
- dev-python/typing-extensions[${PYTHON_USEDEP}]
-"
-DEPEND="${RDEPEND}
- dev-python/pyyaml[${PYTHON_USEDEP}]
-"
-
-src_prepare() {
- eapply \
- "${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \
- "${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \
- "${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \
- "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch
-
- # Set build dir for pytorch's setup
- sed -i \
- -e "/BUILD_DIR/s|build|/var/lib/caffe2/|" \
- tools/setup_helpers/env.py \
- || die
- distutils-r1_src_prepare
-}
-
-src_compile() {
- PYTORCH_BUILD_VERSION=${PV} \
- PYTORCH_BUILD_NUMBER=0 \
- USE_SYSTEM_LIBS=ON \
- CMAKE_BUILD_DIR="${BUILD_DIR}" \
- BUILD_DIR= \
- distutils-r1_src_compile
-}
-
-src_install() {
- USE_SYSTEM_LIBS=ON distutils-r1_src_install
-}
diff --git a/sci-libs/pytorch/pytorch-1.12.0.ebuild b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild
index 0a1cae78f4bb..02fa58c7ba75 100644
--- a/sci-libs/pytorch/pytorch-1.12.0.ebuild
+++ b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild
@@ -32,7 +32,8 @@ src_prepare() {
"${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \
"${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \
"${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \
- "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch
+ "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch \
+ "${FILESDIR}"/pytorch-1.12.0-CVE-2022-45907.patch
# Set build dir for pytorch's setup
sed -i \