diff options
| author | Thomas Gerbet <thomas@gerbet.me> | 2023-01-07 13:50:10 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-07 13:50:10 +0100 |
| commit | 8ff8e38a00ce2bba990cf4823f643d23d1f51dfa (patch) | |
| tree | 3f2104a08d36d89a3e593063f61980eabef044e9 | |
| parent | ed29b4016549201ed16fdbd54f7492fab83ed992 (diff) | |
| parent | fdf125db2a6de93d4f5b207d77b89b1cb09d2ceb (diff) | |
Merge pull request #207621 from risicle/ris-pytorch-CVE-2022-45907-r22.11
[22.11] python3Packages.torch, torch-bin: add patch for CVE-2022-45907
| -rw-r--r-- | pkgs/development/python-modules/torch/bin.nix | 36 | ||||
| -rw-r--r-- | pkgs/development/python-modules/torch/default.nix | 8 |
2 files changed, 43 insertions, 1 deletions
diff --git a/pkgs/development/python-modules/torch/bin.nix b/pkgs/development/python-modules/torch/bin.nix index ac83f1015726..f683d69f644a 100644 --- a/pkgs/development/python-modules/torch/bin.nix +++ b/pkgs/development/python-modules/torch/bin.nix @@ -1,6 +1,7 @@ { lib, stdenv , buildPythonPackage , fetchurl +, fetchpatch , isPy37 , isPy38 , isPy39 @@ -14,6 +15,8 @@ , requests , setuptools , typing-extensions +, unzip +, zip }: let @@ -33,9 +36,42 @@ in buildPythonPackage { src = fetchurl srcs."${stdenv.system}-${pyVerNoDot}" or unsupported; + patches = [ + (fetchpatch { + name = "CVE-2022-45907.patch"; + url = "https://github.com/pytorch/pytorch/commit/74a9ca993bd79f8131829e9c946657fa9a1d05ef.patch"; + # luckily the fix itself is confined to a single + # python file provided as source in the wheel, so + # we can patch it despite this nominally being a + # binary package + includes = [ "torch/jit/annotations.py" ]; + sha256 = "sha256-KpLeuyF06hSeFeTncoYStIWsB8qv1b1X/ntPR59Xr1g="; + }) + ]; + # extract wheel, run normal patch phase, repack wheel. + # effectively a "wheelPatchPhase". not a normal thing + # to do but needs must. + patchPhase = '' + wheelFile="$(realpath -s dist/*.whl)" + pushd "$(mktemp -d)" + + unzip -q "$wheelFile" + + patchPhase + + newZip="$(mktemp -d)"/new.zip + zip -rq "$newZip" * + rm -rf "$wheelFile" + cp "$newZip" "$wheelFile" + + popd + ''; + nativeBuildInputs = [ addOpenGLRunpath patchelf + unzip + zip ]; propagatedBuildInputs = [ diff --git a/pkgs/development/python-modules/torch/default.nix b/pkgs/development/python-modules/torch/default.nix index 2c619f46ac37..88469deb1e74 100644 --- a/pkgs/development/python-modules/torch/default.nix +++ b/pkgs/development/python-modules/torch/default.nix @@ -143,7 +143,13 @@ in buildPythonPackage rec { hash = "sha256-8378BVOBFCRYRG1+yIYFSPKmb1rFOLgR+8pNZKt9NfI="; }; - patches = lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [ + patches = [ + (fetchpatch { + name = "CVE-2022-45907.patch"; + url = "https://github.com/pytorch/pytorch/commit/74a9ca993bd79f8131829e9c946657fa9a1d05ef.patch"; + sha256 = "sha256-cnZBu7rcbCJJ/o8de1jGsquoeBAFg98PQNgSeeSehCU="; + }) + ] ++ lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [ # pthreadpool added support for Grand Central Dispatch in April # 2020. However, this relies on functionality (DISPATCH_APPLY_AUTO) # that is available starting with macOS 10.13. However, our current |