Source: pytorch Version: 2.1.2+dfsg-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for pytorch. CVE-2024-5480[0]: | A vulnerability in the PyTorch's torch.distributed.rpc framework, | specifically in versions prior to 2.2.2, allows for remote code | execution (RCE). The framework, which is used in distributed | training scenarios, does not properly verify the functions being | called during RPC (Remote Procedure Call) operations. This oversight | permits attackers to execute arbitrary commands by leveraging built- | in Python functions such as eval during multi-cpu RPC communication. | The vulnerability arises from the lack of restriction on function | calls when a worker node serializes and sends a PythonUDF (User | Defined Function) to the master node, which then deserializes and | executes the function without validation. This flaw can be exploited | to compromise master nodes initiating distributed training, | potentially leading to the theft of sensitive AI-related data. Looking at the changes up to 2.2.2 upstream it is not clear to me where it has been fixed. It might be possible that it's still unfixed in that tagged version (i.e. do not trust CVE descriptions). Can you double-check this? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-5480 https://www.cve.org/CVERecord?id=CVE-2024-5480 [1] https://huntr.com/bounties/39811836-c5b3-4999-831e-46fee8fcade3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore