1 |
commit: 1b1b577bb33b34295e8cad2294c5486ee50200cf |
2 |
Author: Alfredo Tupone <tupone <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Nov 30 18:12:11 2022 +0000 |
4 |
Commit: Alfredo Tupone <tupone <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 30 18:13:03 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b1b577b |
7 |
|
8 |
sci-libs/pytorch: fix CVE-2022-45907 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/883381 |
11 |
Signed-off-by: Alfredo Tupone <tupone <AT> gentoo.org> |
12 |
|
13 |
sci-libs/pytorch/Manifest | 1 - |
14 |
.../files/pytorch-1.12.0-CVE-2022-45907.patch | 59 ++++++++++++++++++++++ |
15 |
sci-libs/pytorch/metadata.xml | 11 ---- |
16 |
sci-libs/pytorch/pytorch-1.11.0.ebuild | 58 --------------------- |
17 |
...orch-1.12.0.ebuild => pytorch-1.12.0-r1.ebuild} | 3 +- |
18 |
5 files changed, 61 insertions(+), 71 deletions(-) |
19 |
|
20 |
diff --git a/sci-libs/pytorch/Manifest b/sci-libs/pytorch/Manifest |
21 |
index 0d28654e641f..013309cd70ce 100644 |
22 |
--- a/sci-libs/pytorch/Manifest |
23 |
+++ b/sci-libs/pytorch/Manifest |
24 |
@@ -1,2 +1 @@ |
25 |
-DIST pytorch-1.11.0.tar.gz 20719323 BLAKE2B 24e7aaa2c26821d36f8092542de9d8d5ac85a619fb9fffb5131987958842afb1cad395780662d15f3411a7cc6ff83a445871960eca1e469fcbf0b9895d83d6e0 SHA512 2342eb7a1a241f5855a7cf12e11f62bc4baaa78d1d0864e53bfc946e783eb4addd05ca154a814d2376cd602098b5547e61c158d6eddb7cad5a9f3b0c1357adca |
26 |
DIST pytorch-1.12.0.tar.gz 106286765 BLAKE2B ff9bafedb35f859f7dccb9b606299cf9c345bdaa0deb87ecfe0c0c30c3c828414d989e1d9a243d9b7cd3f376d56a2f81c241ca2e3c9a8a2b30cddcdeddd3a5c7 SHA512 c9c748a2e0047daaaf199a1ba3198d2d1aee47f664170a9b34ccacd3deeb95f2070e4035eeb900012ef48dc62cf6fb6806f1a1dfe22de8c94892963076e593b7 |
27 |
|
28 |
diff --git a/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch |
29 |
new file mode 100644 |
30 |
index 000000000000..085b6d9ca1bb |
31 |
--- /dev/null |
32 |
+++ b/sci-libs/pytorch/files/pytorch-1.12.0-CVE-2022-45907.patch |
33 |
@@ -0,0 +1,59 @@ |
34 |
+From 78cad998e505b667d25ac42f8aaa24409f5031e1 Mon Sep 17 00:00:00 2001 |
35 |
+From: Nikita Shulga <nshulga@××××.com> |
36 |
+Date: Thu, 17 Nov 2022 22:05:27 +0000 |
37 |
+Subject: [PATCH] [JIT][Security] Do not blindly eval input string (#89189) |
38 |
+ |
39 |
+Introduce `_eval_no_call` method, that evaluates statement only if it |
40 |
+does not contain any calls(done by examining the bytecode), thus preventing command injection exploit |
41 |
+ |
42 |
+Added simple unit test to check for that |
43 |
+`torch.jit.annotations.get_signature` would not result in calling random |
44 |
+code. |
45 |
+ |
46 |
+Although, this code path exists for Python-2 compatibility, and perhaps |
47 |
+should be simply removed. |
48 |
+ |
49 |
+diff --git a/torch/jit/annotations.py b/torch/jit/annotations.py |
50 |
+index a4a36ce36a5e8..a6ff2d04d2076 100644 |
51 |
+--- a/torch/jit/annotations.py |
52 |
++++ b/torch/jit/annotations.py |
53 |
+@@ -1,4 +1,5 @@ |
54 |
+ import ast |
55 |
++import dis |
56 |
+ import enum |
57 |
+ import inspect |
58 |
+ import re |
59 |
+@@ -144,6 +145,15 @@ def check_fn(fn, loc): |
60 |
+ raise torch.jit.frontend.FrontendError(loc, "Expected a single top-level function") |
61 |
+ |
62 |
+ |
63 |
++def _eval_no_call(stmt, glob, loc): |
64 |
++ """Evaluate statement as long as it does not contain any method/function calls""" |
65 |
++ bytecode = compile(stmt, "", mode="eval") |
66 |
++ for insn in dis.get_instructions(bytecode): |
67 |
++ if "CALL" in insn.opname: |
68 |
++ raise RuntimeError(f"Type annotation should not contain calls, but '{stmt}' does") |
69 |
++ return eval(bytecode, glob, loc) # type: ignore[arg-type] # noqa: P204 |
70 |
++ |
71 |
++ |
72 |
+ def parse_type_line(type_line, rcb, loc): |
73 |
+ """Parses a type annotation specified as a comment. |
74 |
+ |
75 |
+@@ -154,7 +164,7 @@ def parse_type_line(type_line, rcb, loc): |
76 |
+ arg_ann_str, ret_ann_str = split_type_line(type_line) |
77 |
+ |
78 |
+ try: |
79 |
+- arg_ann = eval(arg_ann_str, {}, EvalEnv(rcb)) # type: ignore[arg-type] # noqa: P204 |
80 |
++ arg_ann = _eval_no_call(arg_ann_str, {}, EvalEnv(rcb)) |
81 |
+ except (NameError, SyntaxError) as e: |
82 |
+ raise RuntimeError("Failed to parse the argument list of a type annotation") from e |
83 |
+ |
84 |
+@@ -162,7 +172,7 @@ def parse_type_line(type_line, rcb, loc): |
85 |
+ arg_ann = (arg_ann,) |
86 |
+ |
87 |
+ try: |
88 |
+- ret_ann = eval(ret_ann_str, {}, EvalEnv(rcb)) # type: ignore[arg-type] # noqa: P204 |
89 |
++ ret_ann = _eval_no_call(ret_ann_str, {}, EvalEnv(rcb)) |
90 |
+ except (NameError, SyntaxError) as e: |
91 |
+ raise RuntimeError("Failed to parse the return type of a type annotation") from e |
92 |
+ |
93 |
|
94 |
diff --git a/sci-libs/pytorch/metadata.xml b/sci-libs/pytorch/metadata.xml |
95 |
index bc2785e5f6db..d12749aa5c21 100644 |
96 |
--- a/sci-libs/pytorch/metadata.xml |
97 |
+++ b/sci-libs/pytorch/metadata.xml |
98 |
@@ -5,17 +5,6 @@ |
99 |
<email>tupone@g.o</email> |
100 |
<name>Tupone Alfredo</name> |
101 |
</maintainer> |
102 |
- <use> |
103 |
- <flag name="cuda">Add support for CUDA processing</flag> |
104 |
- <flag name="ffmpeg">Add support for video processing operators</flag> |
105 |
- <flag name="nnpack">Use NNPACK</flag> |
106 |
- <flag name="numpy">Add support for math operations through numpy</flag> |
107 |
- <flag name="opencl">Use OpenCL</flag> |
108 |
- <flag name="opencv">Add support for image processing operators</flag> |
109 |
- <flag name="openmp">Use OpenMP for parallel code</flag> |
110 |
- <flag name="qnnpack">Use QNNPACK</flag> |
111 |
- <flag name="xnnpack">Use XNNPACK</flag> |
112 |
- </use> |
113 |
<upstream> |
114 |
<remote-id type="github">pytorch/pytorch</remote-id> |
115 |
</upstream> |
116 |
|
117 |
diff --git a/sci-libs/pytorch/pytorch-1.11.0.ebuild b/sci-libs/pytorch/pytorch-1.11.0.ebuild |
118 |
deleted file mode 100644 |
119 |
index 401bdea8264a..000000000000 |
120 |
--- a/sci-libs/pytorch/pytorch-1.11.0.ebuild |
121 |
+++ /dev/null |
122 |
@@ -1,58 +0,0 @@ |
123 |
-# Copyright 2022 Gentoo Authors |
124 |
-# Distributed under the terms of the GNU General Public License v2 |
125 |
- |
126 |
-EAPI=8 |
127 |
- |
128 |
-DISTUTILS_USE_PEP517=setuptools |
129 |
-PYTHON_COMPAT=( python3_{8,9,10} ) |
130 |
-inherit distutils-r1 |
131 |
- |
132 |
-DESCRIPTION="Tensors and Dynamic neural networks in Python" |
133 |
-HOMEPAGE="https://pytorch.org/" |
134 |
-SRC_URI="https://github.com/pytorch/${PN}/archive/refs/tags/v${PV}.tar.gz |
135 |
- -> ${P}.tar.gz" |
136 |
- |
137 |
-LICENSE="BSD" |
138 |
-SLOT="0" |
139 |
-KEYWORDS="~amd64" |
140 |
-RESTRICT="test" |
141 |
-IUSE="cuda ffmpeg nnpack +numpy opencl opencv openmp qnnpack xnnpack" |
142 |
- |
143 |
-REQUIRED_USE=${PYTHON_REQUIRED_USE} |
144 |
-RDEPEND=" |
145 |
- ${PYTHON_DEPS} |
146 |
- ~sci-libs/caffe2-${PV}[${PYTHON_USEDEP}] |
147 |
- sci-libs/caffe2[cuda?,ffmpeg?,nnpack?,numpy?,opencl?,opencv?,openmp?,qnnpack?,xnnpack?] |
148 |
- dev-python/typing-extensions[${PYTHON_USEDEP}] |
149 |
-" |
150 |
-DEPEND="${RDEPEND} |
151 |
- dev-python/pyyaml[${PYTHON_USEDEP}] |
152 |
-" |
153 |
- |
154 |
-src_prepare() { |
155 |
- eapply \ |
156 |
- "${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \ |
157 |
- "${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \ |
158 |
- "${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \ |
159 |
- "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch |
160 |
- |
161 |
- # Set build dir for pytorch's setup |
162 |
- sed -i \ |
163 |
- -e "/BUILD_DIR/s|build|/var/lib/caffe2/|" \ |
164 |
- tools/setup_helpers/env.py \ |
165 |
- || die |
166 |
- distutils-r1_src_prepare |
167 |
-} |
168 |
- |
169 |
-src_compile() { |
170 |
- PYTORCH_BUILD_VERSION=${PV} \ |
171 |
- PYTORCH_BUILD_NUMBER=0 \ |
172 |
- USE_SYSTEM_LIBS=ON \ |
173 |
- CMAKE_BUILD_DIR="${BUILD_DIR}" \ |
174 |
- BUILD_DIR= \ |
175 |
- distutils-r1_src_compile |
176 |
-} |
177 |
- |
178 |
-src_install() { |
179 |
- USE_SYSTEM_LIBS=ON distutils-r1_src_install |
180 |
-} |
181 |
|
182 |
diff --git a/sci-libs/pytorch/pytorch-1.12.0.ebuild b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild |
183 |
similarity index 92% |
184 |
rename from sci-libs/pytorch/pytorch-1.12.0.ebuild |
185 |
rename to sci-libs/pytorch/pytorch-1.12.0-r1.ebuild |
186 |
index 0a1cae78f4bb..02fa58c7ba75 100644 |
187 |
--- a/sci-libs/pytorch/pytorch-1.12.0.ebuild |
188 |
+++ b/sci-libs/pytorch/pytorch-1.12.0-r1.ebuild |
189 |
@@ -32,7 +32,8 @@ src_prepare() { |
190 |
"${FILESDIR}"/0002-Don-t-build-libtorch-again-for-PyTorch-1.7.1.patch \ |
191 |
"${FILESDIR}"/pytorch-1.9.0-Change-library-directory-according-to-CMake-build.patch \ |
192 |
"${FILESDIR}"/${PN}-1.6.0-global-dlopen.patch \ |
193 |
- "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch |
194 |
+ "${FILESDIR}"/pytorch-1.7.1-torch_shm_manager.patch \ |
195 |
+ "${FILESDIR}"/pytorch-1.12.0-CVE-2022-45907.patch |
196 |
|
197 |
# Set build dir for pytorch's setup |
198 |
sed -i \ |