[gentoo-commits] repo/gentoo:master commit in: sci-libs/pytorch/files/, sci-libs/pytorch/ - gentoo-commits

From:	Alfredo Tupone <tupone@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sci-libs/pytorch/files/, sci-libs/pytorch/
Date:	Wed, 30 Nov 2022 18:13:24
Message-Id:	`1669831983.1b1b577bb33b34295e8cad2294c5486ee50200cf.tupone@gentoo`

1

commit:     1b1b577bb33b34295e8cad2294c5486ee50200cf

2

Author:     Alfredo Tupone <tupone <AT> gentoo <DOT> org>

3

AuthorDate: Wed Nov 30 18:12:11 2022 +0000

4

Commit:     Alfredo Tupone <tupone <AT> gentoo <DOT> org>

5

CommitDate: Wed Nov 30 18:13:03 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b1b577b

7

8

sci-libs/pytorch: fix CVE-2022-45907

9

10

Bug: https://bugs.gentoo.org/883381

11

Signed-off-by: Alfredo Tupone <tupone <AT> gentoo.org>

12

13

 sci-libs/pytorch/Manifest                          |  1 -

14

 .../files/pytorch-1.12.0-CVE-2022-45907.patch      | 59 ++++++++++++++++++++++

15

 sci-libs/pytorch/metadata.xml                      | 11 ----

16

 sci-libs/pytorch/pytorch-1.11.0.ebuild             | 58 ---------------------

17

 ...orch-1.12.0.ebuild => pytorch-1.12.0-r1.ebuild} |  3 +-

18

 5 files changed, 61 insertions(+), 71 deletions(-)

19

20

diff --git a/sci-libs/pytorch/Manifest b/sci-libs/pytorch/Manifest

21

index 0d28654e641f..013309cd70ce 100644

22

--- a/sci-libs/pytorch/Manifest

23

+++ b/sci-libs/pytorch/Manifest

24

@@ -1,2 +1 @@

25

-DIST pytorch-1.11.0.tar.gz 20719323 BLAKE2B 24e7aaa2c26821d36f8092542de9d8d5ac85a619fb9fffb5131987958842afb1cad395780662d15f3411a7cc6ff83a445871960eca1e469fcbf0b9895d83d6e0 SHA512 2342eb7a1a241f5855a7cf12e11f62bc4baaa78d1d0864e53bfc946e783eb4addd05ca154a814d2376cd602098b5547e61c158d6eddb7cad5a9f3b0c1357adca

26

 DIST pytorch-1.12.0.tar.gz 106286765 BLAKE2B ff9bafedb35f859f7dccb9b606299cf9c345bdaa0deb87ecfe0c0c30c3c828414d989e1d9a243d9b7cd3f376d56a2f81c241ca2e3c9a8a2b30cddcdeddd3a5c7 SHA512 c9c748a2e0047daaaf199a1ba3198d2d1aee47f664170a9b34ccacd3deeb95f2070e4035eeb900012ef48dc62cf6fb6806f1a1dfe22de8c94892963076e593b7

27

28

diff --git a/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch

29

new file mode 100644

30

index 000000000000..085b6d9ca1bb

31

--- /dev/null

32

+++ b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch

33

@@ -0,0 +1,59 @@

34

+From 78cad998e505b667d25ac42f8aaa24409f5031e1 Mon Sep 17 00:00:00 2001

35

+From: Nikita Shulga <nshulga@××××.com>

36

+Date: Thu, 17 Nov 2022 22:05:27 +0000

37

+Subject: [PATCH] [JIT][Security] Do not blindly eval input string (#89189)

38

+

39

+Introduce `_eval_no_call` method, that evaluates statement only if it

40

+does not contain any calls(done by examining the bytecode), thus preventing command injection exploit

41

+

42

+Added simple unit test to check for that

43

+`torch.jit.annotations.get_signature` would not result in calling random

44

+code.

45

+

46

+Although, this code path exists for Python-2 compatibility, and perhaps

47

+should be simply removed.

48

+

49

+diff --git a/torch/jit/annotations.py b/torch/jit/annotations.py

50

+index a4a36ce36a5e8..a6ff2d04d2076 100644

51

+--- a/torch/jit/annotations.py

52

++++ b/torch/jit/annotations.py

53

+@@ -1,4 +1,5 @@

54

+ import ast

55

++import dis

56

+ import enum

57

+ import inspect

58

+ import re

59

+@@ -144,6 +145,15 @@ def check_fn(fn, loc):

60

+         raise torch.jit.frontend.FrontendError(loc, "Expected a single top-level function")

61

+

62

+

63

++def _eval_no_call(stmt, glob, loc):

64

++    """Evaluate statement as long as it does not contain any method/function calls"""

65

++    bytecode = compile(stmt, "", mode="eval")

66

++    for insn in dis.get_instructions(bytecode):

67

++        if "CALL" in insn.opname:

68

++            raise RuntimeError(f"Type annotation should not contain calls, but '{stmt}' does")

69

++    return eval(bytecode, glob, loc)  # type: ignore[arg-type] # noqa: P204

70

++

71

++

72

+ def parse_type_line(type_line, rcb, loc):

73

+     """Parses a type annotation specified as a comment.

74

+

75

+@@ -154,7 +164,7 @@ def parse_type_line(type_line, rcb, loc):

76

+     arg_ann_str, ret_ann_str = split_type_line(type_line)

77

+

78

+     try:

79

+-        arg_ann = eval(arg_ann_str, {}, EvalEnv(rcb))  # type: ignore[arg-type] # noqa: P204

80

++        arg_ann = _eval_no_call(arg_ann_str, {}, EvalEnv(rcb))

81

+     except (NameError, SyntaxError) as e:

82

+         raise RuntimeError("Failed to parse the argument list of a type annotation") from e

83

+

84

+@@ -162,7 +172,7 @@ def parse_type_line(type_line, rcb, loc):

85

+         arg_ann = (arg_ann,)

86

+

87

+     try:

88

+-        ret_ann = eval(ret_ann_str, {}, EvalEnv(rcb))  # type: ignore[arg-type] # noqa: P204

89

++        ret_ann = _eval_no_call(ret_ann_str, {}, EvalEnv(rcb))

90

+     except (NameError, SyntaxError) as e:

91

+         raise RuntimeError("Failed to parse the return type of a type annotation") from e

92

+

93

94

diff --git a/sci-libs/pytorch/metadata.xml b/sci-libs/pytorch/metadata.xml

95

index bc2785e5f6db..d12749aa5c21 100644

96

--- a/sci-libs/pytorch/metadata.xml

97

+++ b/sci-libs/pytorch/metadata.xml

98

@@ -5,17 +5,6 @@

99

 		<email>tupone@g.o</email>

100

 		<name>Tupone Alfredo</name>

101

 	</maintainer>

102

-	<use>

103

-		<flag name="cuda">Add support for CUDA processing</flag>

104

-		<flag name="ffmpeg">Add support for video processing operators</flag>

105

-		<flag name="nnpack">Use NNPACK</flag>

106

-		<flag name="numpy">Add support for math operations through numpy</flag>

107

-		<flag name="opencl">Use OpenCL</flag>

108

-		<flag name="opencv">Add support for image processing operators</flag>

109

-		<flag name="openmp">Use OpenMP for parallel code</flag>

110

-		<flag name="qnnpack">Use QNNPACK</flag>

111

-		<flag name="xnnpack">Use XNNPACK</flag>

112

-	</use>

113

 	<upstream>

114

 		<remote-id type="github">pytorch/pytorch</remote-id>

115

 	</upstream>

116

117

diff --git a/sci-libs/pytorch/pytorch-1.11.0.ebuild b/sci-libs/pytorch/pytorch-1.11.0.ebuild

118

deleted file mode 100644

119

index 401bdea8264a..000000000000

120

--- a/sci-libs/pytorch/pytorch-1.11.0.ebuild

121

+++ /dev/null

122

@@ -1,58 +0,0 @@

123

-# Copyright 2022 Gentoo Authors

124

-# Distributed under the terms of the GNU General Public License v2

125

-

126

-EAPI=8

127

-

128

-DISTUTILS_USE_PEP517=setuptools

129

-PYTHON_COMPAT=( python3_{8,9,10} )

130

-inherit distutils-r1

131

-

132

-DESCRIPTION="Tensors and Dynamic neural networks in Python"

133

-HOMEPAGE="https://pytorch.org/"

134

-SRC_URI="https://github.com/pytorch/${PN}/archive/refs/tags/v${PV}.tar.gz

135

-	-> ${P}.tar.gz"

136

-

137

-LICENSE="BSD"

138

-SLOT="0"

139

-KEYWORDS="~amd64"

140

-RESTRICT="test"

141

-IUSE="cuda ffmpeg nnpack +numpy opencl opencv openmp qnnpack xnnpack"

142

-

143

-REQUIRED_USE=${PYTHON_REQUIRED_USE}

144

-RDEPEND="

145

-	${PYTHON_DEPS}

146

-	~sci-libs/caffe2-${PV}[${PYTHON_USEDEP}]

147

-	sci-libs/caffe2[cuda?,ffmpeg?,nnpack?,numpy?,opencl?,opencv?,openmp?,qnnpack?,xnnpack?]

148

-	dev-python/typing-extensions[${PYTHON_USEDEP}]

149

-"

150

-DEPEND="${RDEPEND}

151

-	dev-python/pyyaml[${PYTHON_USEDEP}]

152

-"

153

-

154

-src_prepare() {

155

-	eapply \

156

-		"${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \

157

-		"${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \

158

-		"${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \

159

-		"${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch

160

-

161

-	# Set build dir for pytorch's setup

162

-	sed -i \

163

-		-e "/BUILD_DIR/s|build|/var/lib/caffe2/|" \

164

-		tools/setup_helpers/env.py \

165

-		|| die

166

-	distutils-r1_src_prepare

167

-}

168

-

169

-src_compile() {

170

-	PYTORCH_BUILD_VERSION=${PV} \

171

-	PYTORCH_BUILD_NUMBER=0 \

172

-	USE_SYSTEM_LIBS=ON \

173

-	CMAKE_BUILD_DIR="${BUILD_DIR}" \

174

-	BUILD_DIR= \

175

-	distutils-r1_src_compile

176

-}

177

-

178

-src_install() {

179

-	USE_SYSTEM_LIBS=ON distutils-r1_src_install

180

-}

181

182

diff --git a/sci-libs/pytorch/pytorch-1.12.0.ebuild b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild

183

similarity index 92%

184

rename from sci-libs/pytorch/pytorch-1.12.0.ebuild

185

rename to sci-libs/pytorch/pytorch-1.12.0-r1.ebuild

186

index 0a1cae78f4bb..02fa58c7ba75 100644

187

--- a/sci-libs/pytorch/pytorch-1.12.0.ebuild

188

+++ b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild

189

@@ -32,7 +32,8 @@ src_prepare() {

190

 		"${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \

191

 		"${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \

192

 		"${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \

193

-		"${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch

194

+		"${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch \

195

+		"${FILESDIR}"/pytorch-1.12.0-CVE-2022-45907.patch

196

197

 	# Set build dir for pytorch's setup

198

 	sed -i \

1	commit: 1b1b577bb33b34295e8cad2294c5486ee50200cf
2	Author: Alfredo Tupone <tupone <AT> gentoo <DOT> org>
3	AuthorDate: Wed Nov 30 18:12:11 2022 +0000
4	Commit: Alfredo Tupone <tupone <AT> gentoo <DOT> org>
5	CommitDate: Wed Nov 30 18:13:03 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b1b577b
7
8	sci-libs/pytorch: fix CVE-2022-45907
9
10	Bug: https://bugs.gentoo.org/883381
11	Signed-off-by: Alfredo Tupone <tupone <AT> gentoo.org>
12
13	sci-libs/pytorch/Manifest \| 1 -
14	.../files/pytorch-1.12.0-CVE-2022-45907.patch \| 59 ++++++++++++++++++++++
15	sci-libs/pytorch/metadata.xml \| 11 ----
16	sci-libs/pytorch/pytorch-1.11.0.ebuild \| 58 ---------------------
17	...orch-1.12.0.ebuild => pytorch-1.12.0-r1.ebuild} \| 3 +-
18	5 files changed, 61 insertions(+), 71 deletions(-)
19
20	diff --git a/sci-libs/pytorch/Manifest b/sci-libs/pytorch/Manifest
21	index 0d28654e641f..013309cd70ce 100644
22	--- a/sci-libs/pytorch/Manifest
23	+++ b/sci-libs/pytorch/Manifest
24	@@ -1,2 +1 @@
25	-DIST pytorch-1.11.0.tar.gz 20719323 BLAKE2B 24e7aaa2c26821d36f8092542de9d8d5ac85a619fb9fffb5131987958842afb1cad395780662d15f3411a7cc6ff83a445871960eca1e469fcbf0b9895d83d6e0 SHA512 2342eb7a1a241f5855a7cf12e11f62bc4baaa78d1d0864e53bfc946e783eb4addd05ca154a814d2376cd602098b5547e61c158d6eddb7cad5a9f3b0c1357adca
26	DIST pytorch-1.12.0.tar.gz 106286765 BLAKE2B ff9bafedb35f859f7dccb9b606299cf9c345bdaa0deb87ecfe0c0c30c3c828414d989e1d9a243d9b7cd3f376d56a2f81c241ca2e3c9a8a2b30cddcdeddd3a5c7 SHA512 c9c748a2e0047daaaf199a1ba3198d2d1aee47f664170a9b34ccacd3deeb95f2070e4035eeb900012ef48dc62cf6fb6806f1a1dfe22de8c94892963076e593b7
27
28	diff --git a/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch
29	new file mode 100644
30	index 000000000000..085b6d9ca1bb
31	--- /dev/null
32	+++ b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch
33	@@ -0,0 +1,59 @@
34	+From 78cad998e505b667d25ac42f8aaa24409f5031e1 Mon Sep 17 00:00:00 2001
35	+From: Nikita Shulga <nshulga@××××.com>
36	+Date: Thu, 17 Nov 2022 22:05:27 +0000
37	+Subject: [PATCH] [JIT][Security] Do not blindly eval input string (#89189)
38	+
39	+Introduce `_eval_no_call` method, that evaluates statement only if it
40	+does not contain any calls(done by examining the bytecode), thus preventing command injection exploit
41	+
42	+Added simple unit test to check for that
43	+`torch.jit.annotations.get_signature` would not result in calling random
44	+code.
45	+
46	+Although, this code path exists for Python-2 compatibility, and perhaps
47	+should be simply removed.
48	+
49	+diff --git a/torch/jit/annotations.py b/torch/jit/annotations.py
50	+index a4a36ce36a5e8..a6ff2d04d2076 100644
51	+--- a/torch/jit/annotations.py
52	++++ b/torch/jit/annotations.py
53	+@@ -1,4 +1,5 @@
54	+ import ast
55	++import dis
56	+ import enum
57	+ import inspect
58	+ import re
59	+@@ -144,6 +145,15 @@ def check_fn(fn, loc):
60	+ raise torch.jit.frontend.FrontendError(loc, "Expected a single top-level function")
61	+
62	+
63	++def _eval_no_call(stmt, glob, loc):
64	++ """Evaluate statement as long as it does not contain any method/function calls"""
65	++ bytecode = compile(stmt, "", mode="eval")
66	++ for insn in dis.get_instructions(bytecode):
67	++ if "CALL" in insn.opname:
68	++ raise RuntimeError(f"Type annotation should not contain calls, but '{stmt}' does")
69	++ return eval(bytecode, glob, loc) # type: ignore[arg-type] # noqa: P204
70	++
71	++
72	+ def parse_type_line(type_line, rcb, loc):
73	+ """Parses a type annotation specified as a comment.
74	+
75	+@@ -154,7 +164,7 @@ def parse_type_line(type_line, rcb, loc):
76	+ arg_ann_str, ret_ann_str = split_type_line(type_line)
77	+
78	+ try:
79	+- arg_ann = eval(arg_ann_str, {}, EvalEnv(rcb)) # type: ignore[arg-type] # noqa: P204
80	++ arg_ann = _eval_no_call(arg_ann_str, {}, EvalEnv(rcb))
81	+ except (NameError, SyntaxError) as e:
82	+ raise RuntimeError("Failed to parse the argument list of a type annotation") from e
83	+
84	+@@ -162,7 +172,7 @@ def parse_type_line(type_line, rcb, loc):
85	+ arg_ann = (arg_ann,)
86	+
87	+ try:
88	+- ret_ann = eval(ret_ann_str, {}, EvalEnv(rcb)) # type: ignore[arg-type] # noqa: P204
89	++ ret_ann = _eval_no_call(ret_ann_str, {}, EvalEnv(rcb))
90	+ except (NameError, SyntaxError) as e:
91	+ raise RuntimeError("Failed to parse the return type of a type annotation") from e
92	+
93
94	diff --git a/sci-libs/pytorch/metadata.xml b/sci-libs/pytorch/metadata.xml
95	index bc2785e5f6db..d12749aa5c21 100644
96	--- a/sci-libs/pytorch/metadata.xml
97	+++ b/sci-libs/pytorch/metadata.xml
98	@@ -5,17 +5,6 @@
99	<email>tupone@g.o</email>
100	<name>Tupone Alfredo</name>
101	</maintainer>
102	- <use>
103	- <flag name="cuda">Add support for CUDA processing</flag>
104	- <flag name="ffmpeg">Add support for video processing operators</flag>
105	- <flag name="nnpack">Use NNPACK</flag>
106	- <flag name="numpy">Add support for math operations through numpy</flag>
107	- <flag name="opencl">Use OpenCL</flag>
108	- <flag name="opencv">Add support for image processing operators</flag>
109	- <flag name="openmp">Use OpenMP for parallel code</flag>
110	- <flag name="qnnpack">Use QNNPACK</flag>
111	- <flag name="xnnpack">Use XNNPACK</flag>
112	- </use>
113	<upstream>
114	<remote-id type="github">pytorch/pytorch</remote-id>
115	</upstream>
116
117	diff --git a/sci-libs/pytorch/pytorch-1.11.0.ebuild b/sci-libs/pytorch/pytorch-1.11.0.ebuild
118	deleted file mode 100644
119	index 401bdea8264a..000000000000
120	--- a/sci-libs/pytorch/pytorch-1.11.0.ebuild
121	+++ /dev/null
122	@@ -1,58 +0,0 @@
123	-# Copyright 2022 Gentoo Authors
124	-# Distributed under the terms of the GNU General Public License v2
125	-
126	-EAPI=8
127	-
128	-DISTUTILS_USE_PEP517=setuptools
129	-PYTHON_COMPAT=( python3_{8,9,10} )
130	-inherit distutils-r1
131	-
132	-DESCRIPTION="Tensors and Dynamic neural networks in Python"
133	-HOMEPAGE="https://pytorch.org/"
134	-SRC_URI="https://github.com/pytorch/${PN}/archive/refs/tags/v${PV}.tar.gz
135	- -> ${P}.tar.gz"
136	-
137	-LICENSE="BSD"
138	-SLOT="0"
139	-KEYWORDS="~amd64"
140	-RESTRICT="test"
141	-IUSE="cuda ffmpeg nnpack +numpy opencl opencv openmp qnnpack xnnpack"
142	-
143	-REQUIRED_USE=${PYTHON_REQUIRED_USE}
144	-RDEPEND="
145	- ${PYTHON_DEPS}
146	- ~sci-libs/caffe2-${PV}[${PYTHON_USEDEP}]
147	- sci-libs/caffe2[cuda?,ffmpeg?,nnpack?,numpy?,opencl?,opencv?,openmp?,qnnpack?,xnnpack?]
148	- dev-python/typing-extensions[${PYTHON_USEDEP}]
149	-"
150	-DEPEND="${RDEPEND}
151	- dev-python/pyyaml[${PYTHON_USEDEP}]
152	-"
153	-
154	-src_prepare() {
155	- eapply \
156	- "${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \
157	- "${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \
158	- "${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \
159	- "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch
160	-
161	- # Set build dir for pytorch's setup
162	- sed -i \
163	- -e "/BUILD_DIR/s\|build\|/var/lib/caffe2/\|" \
164	- tools/setup_helpers/env.py \
165	- \|\| die
166	- distutils-r1_src_prepare
167	-}
168	-
169	-src_compile() {
170	- PYTORCH_BUILD_VERSION=${PV} \
171	- PYTORCH_BUILD_NUMBER=0 \
172	- USE_SYSTEM_LIBS=ON \
173	- CMAKE_BUILD_DIR="${BUILD_DIR}" \
174	- BUILD_DIR= \
175	- distutils-r1_src_compile
176	-}
177	-
178	-src_install() {
179	- USE_SYSTEM_LIBS=ON distutils-r1_src_install
180	-}
181
182	diff --git a/sci-libs/pytorch/pytorch-1.12.0.ebuild b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild
183	similarity index 92%
184	rename from sci-libs/pytorch/pytorch-1.12.0.ebuild
185	rename to sci-libs/pytorch/pytorch-1.12.0-r1.ebuild
186	index 0a1cae78f4bb..02fa58c7ba75 100644
187	--- a/sci-libs/pytorch/pytorch-1.12.0.ebuild
188	+++ b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild
189	@@ -32,7 +32,8 @@ src_prepare() {
190	"${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \
191	"${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \
192	"${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \
193	- "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch
194	+ "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch \
195	+ "${FILESDIR}"/pytorch-1.12.0-CVE-2022-45907.patch
196
197	# Set build dir for pytorch's setup
198	sed -i \

Gentoo Archives: gentoo-commits