Your message dated Tue, 1 Oct 2024 21:11:05 +0200
with message-id <zvxjsb411wyba...@eldamar.lan>
and subject line Re: Bug#1072969: pytorch: CVE-2024-5480
has caused the Debian Bug report #1072969,
regarding pytorch: CVE-2024-5480
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072969
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pytorch
Version: 2.1.2+dfsg-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for pytorch.
CVE-2024-5480[0]:
| A vulnerability in the PyTorch's torch.distributed.rpc framework,
| specifically in versions prior to 2.2.2, allows for remote code
| execution (RCE). The framework, which is used in distributed
| training scenarios, does not properly verify the functions being
| called during RPC (Remote Procedure Call) operations. This oversight
| permits attackers to execute arbitrary commands by leveraging built-
| in Python functions such as eval during multi-cpu RPC communication.
| The vulnerability arises from the lack of restriction on function
| calls when a worker node serializes and sends a PythonUDF (User
| Defined Function) to the master node, which then deserializes and
| executes the function without validation. This flaw can be exploited
| to compromise master nodes initiating distributed training,
| potentially leading to the theft of sensitive AI-related data.
Looking at the changes up to 2.2.2 upstream it is not clear to me
where it has been fixed. It might be possible that it's still unfixed
in that tagged version (i.e. do not trust CVE descriptions). Can you
double-check this?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-5480
https://www.cve.org/CVERecord?id=CVE-2024-5480
[1] https://huntr.com/bounties/39811836-c5b3-4999-831e-46fee8fcade3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi
This bug can be closed. In fact it looks that this is a non-issue from
the reference Dylan pointed out, and as well disputed upstream. So far
the CVE has not been rejected, which hopefully still will happend.
https://github.com/pytorch/pytorch/issues/129228
https://github.com/pytorch/pytorch/security/policy#using-distributed-features
Regards,
Salvatore
--- End Message ---
