1- From 3667d980becce3b499b5e2fee4a3d94694fb7d3a Mon Sep 17 00:00:00 2001
2- From: AllSpark <allspark@microsoft.com>
3- Date: Thu, 9 Apr 2026 09:28:45 +0000
4- Subject: [PATCH] Backport security improvements for ONNX external data
5- handling: canonical containment, symlink rejection, O_NOFOLLOW usage, and
6- hardlink checks in C++ and Python paths; update tests accordingly.
1+ From cd7dfb063086cf64b14a0e421bce2b42a5bdb94b Mon Sep 17 00:00:00 2001
2+ From: Aninda <v-anipradhan@microsoft.com>
3+ Date: Sun, 12 Apr 2026 17:20:17 -0400
4+ Subject: [PATCH] Address CVE-2026-34446
75
8- Upstream-reference: https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb.patch
9-
10- Note: The original patch authored by AllSpark was backported by Aninda <v-anipradhan@microsoft.com> to apply to version 2.0.0 of PyTorch on Azure Linux.
116---
12- third_party/onnx/onnx/checker.cc | 41 ++++++++++
7+ third_party/onnx/onnx/checker.cc | 51 ++ ++++++++++
138 third_party/onnx/onnx/external_data_helper.py | 81 ++++++++++++++++++-
14- 2 files changed, 121 insertions(+), 1 deletion(-)
9+ 2 files changed, 131 insertions(+), 1 deletion(-)
1510
1611diff --git a/third_party/onnx/onnx/checker.cc b/third_party/onnx/onnx/checker.cc
17- index 38a068dd..13eedf3c 100644
12+ index 38a068dd..6cd54397 100644
1813--- a/third_party/onnx/onnx/checker.cc
1914+++ b/third_party/onnx/onnx/checker.cc
20- @@ -20,6 +20,7 @@
15+ @@ -20,6 +20,17 @@
2116
2217 #else // POSIX
2318 #include <sys/stat.h>
24- + #include <filesystem>
19+ +
20+ + #if __has_include(<filesystem>) && defined(__cpp_lib_filesystem)
21+ + #include <filesystem>
22+ + namespace fs = std::filesystem;
23+ + #elif __has_include(<experimental/filesystem>)
24+ + #include <experimental/filesystem>
25+ + namespace fs = std::experimental::filesystem;
26+ + #else
27+ + #error "No filesystem support available"
28+ + #endif
29+ +
2530 #endif
2631
2732 namespace ONNX_NAMESPACE {
28- @@ -1012,7 +1013 ,47 @@ std::string resolve_external_data_location(
33+ @@ -1012,7 +1023 ,47 @@ std::string resolve_external_data_location(
2934 location,
3035 "' points outside the directory");
3136 }
@@ -36,7 +41,7 @@ index 38a068dd..13eedf3c 100644
3641 std::string data_path = path_join(base_dir, relative_path);
3742+ if (!data_path.empty() && data_path[0] != '#') {
3843+ std::error_code ec;
39- + auto canonical_base = std::filesystem::weakly_canonical(std::filesystem ::path(base_dir), ec);
44+ + auto canonical_base = fs::canonical(fs ::path(base_dir), ec);
4045+ if (ec) {
4146+ fail_check(
4247+ "Data of TensorProto ( tensor name: ",
@@ -45,7 +50,7 @@ index 38a068dd..13eedf3c 100644
4550+ location,
4651+ ", but the model directory path could not be resolved.");
4752+ }
48- + auto canonical_data = std::filesystem::weakly_canonical(std::filesystem ::path(data_path), ec);
53+ + auto canonical_data = fs::canonical(fs ::path(data_path), ec);
4954+ if (ec) {
5055+ fail_check(
5156+ "Data of TensorProto ( tensor name: ",
@@ -56,8 +61,8 @@ index 38a068dd..13eedf3c 100644
5661+ }
5762+ auto canonical_base_native = canonical_base.native();
5863+ auto canonical_data_native = canonical_data.native();
59- + if (!canonical_base_native.empty() && canonical_base_native.back() != std::filesystem ::path::preferred_separator) {
60- + canonical_base_native += std::filesystem ::path::preferred_separator;
64+ + if (!canonical_base_native.empty() && canonical_base_native.back() != fs ::path::preferred_separator) {
65+ + canonical_base_native += fs ::path::preferred_separator;
6166+ }
6267+ if (canonical_data_native.find(canonical_base_native) != 0) {
6368+ fail_check(
0 commit comments