Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-45907: [JIT][Security] Do not blindly eval input string (#89189) · pytorch/pytorch@767f6aa

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

CVE
Open in Source
#git

Permalink

Browse files

[JIT][Security] Do not blindly eval input string (#89189)

Introduce `_eval_no_call` method, that evaluates statement only if it does not contain any calls(done by examining the bytecode), thus preventing command injection exploit

Added simple unit test to check for that `torch.jit.annotations.get_signature` would not result in calling random code.

Although, this code path exists for Python-2 compatibility, and perhaps should be simply removed.

Fixes #88868

Pull Request resolved: #89189 Approved by: https://github.com/suo

  • Loading branch information

Related news

GHSA-47fc-vmwq-366v: PyTorch vulnerable to arbitrary code execution

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely. The fix for this issue is planned to be released in version 1.13.1, there is a release checker in issue #89855.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE