Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 883381 (CVE-2022-45907) - <sci-libs/pytorch-1.12.0-r1: unsafe eval in JIT handling
Summary: <sci-libs/pytorch-1.12.0-r1: unsafe eval in JIT handling
Status: RESOLVED FIXED
Alias: CVE-2022-45907
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/pytorch/pytorch/is...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-11-28 04:38 UTC by John Helmert III
Modified: 2022-11-30 20:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-28 04:38:25 UTC 
CVE-2022-45907:

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

Patch at: https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3
Comment 1 Larry the Git Cow gentoo-dev 2022-11-30 18:13:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b1b577bb33b34295e8cad2294c5486ee50200cf

commit 1b1b577bb33b34295e8cad2294c5486ee50200cf
Author:     Alfredo Tupone <tupone@gentoo.org>
AuthorDate: 2022-11-30 18:12:11 +0000
Commit:     Alfredo Tupone <tupone@gentoo.org>
CommitDate: 2022-11-30 18:13:03 +0000

    sci-libs/pytorch: fix CVE-2022-45907
    
    Bug: https://bugs.gentoo.org/883381
    Signed-off-by: Alfredo Tupone <tupone@gentoo.org>

 sci-libs/pytorch/Manifest                          |  1 -
 .../files/pytorch-1.12.0-CVE-2022-45907.patch      | 59 ++++++++++++++++++++++
 sci-libs/pytorch/metadata.xml                      | 11 ----
 sci-libs/pytorch/pytorch-1.11.0.ebuild             | 58 ---------------------
 ...orch-1.12.0.ebuild => pytorch-1.12.0-r1.ebuild} |  3 +-
 5 files changed, 61 insertions(+), 71 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-30 20:10:40 UTC 
Thanks, all done!