Patch for CVE-2026-34445, CVE-2026-34446

aninda-al · aninda-al · commit 5b246109f0df · 2026-04-15T16:48:26.000-04:00
diff --git a/SPECS/pytorch/CVE-2026-34445.patch b/SPECS/pytorch/CVE-2026-34445.patch
@@ -0,0 +1,153 @@
+From a3ac7f97a0dacdbc4df51322541cb4b1d063fe12 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 9 Apr 2026 09:13:59 +0000
+Subject: [PATCH] Security hardening for external_data: whitelist keys,
+ parse-time bounds, file-size validation; warnings; export constants
+
+Upstream-reference: https://github.com/onnx/onnx/commit/e30c6935d67cc3eca2fa284e37248e7c0036c46b.patch
+Note: The original patch authored by AllSpark was backported by Aninda <v-anipradhan@microsoft.com> to apply to version 2.0.0 of PyTorch on Azure Linux.
+
+---
+ third_party/onnx/onnx/external_data_helper.py | 102 ++++++++++++++++--
+ 1 file changed, 91 insertions(+), 11 deletions(-)
+
+diff --git a/third_party/onnx/onnx/external_data_helper.py b/third_party/onnx/onnx/external_data_helper.py
+index 6763b11d..27a0a407 100644
+--- a/third_party/onnx/onnx/external_data_helper.py
++++ b/third_party/onnx/onnx/external_data_helper.py
+@@ -3,12 +3,65 @@ import os
+ import re
+ import sys
+ import uuid
++import warnings
+ from itertools import chain
+-from typing import Callable, Iterable, Optional
++from typing import Callable, Iterable, Optional, IO
+  
+ import onnx.onnx_cpp2py_export.checker as c_checker
+ from .onnx_pb import AttributeProto, GraphProto, ModelProto, TensorProto
+ 
++# Security: 3-layer defense against malicious external_data entries (GHSA-538c-55jv-c5g9)
++#
++# Layer 1 (here) — Attribute whitelist: Only spec-defined keys are accepted.
++#   Unknown keys are warned and ignored, preventing arbitrary attribute injection (CWE-915).
++#
++# Layer 2 (ExternalDataInfo.__init__) — Bounds validation: offset and length must be
++#   non-negative integers. Catches invalid values at parse time (CWE-400).
++#
++# Layer 3 (load_external_data_for_tensor) — File-size validation: offset and length are
++#   checked against actual file size before reading. This is the critical safety net that
++#   prevents memory exhaustion regardless of how the model was constructed (CWE-400).
++#
++# 'basepath' is included because set_external_data() writes it to protobuf entries;
++# it must survive save/load round-trips.
++_ALLOWED_EXTERNAL_DATA_KEYS = frozenset({"location", "offset", "length", "checksum", "basepath"})
++_SORTED_ALLOWED_KEYS = sorted(_ALLOWED_EXTERNAL_DATA_KEYS)
++_MAX_UNKNOWN_KEYS_IN_WARNING = 10
++
++
++def _validate_external_data_file_bounds(
++    data_file: IO[bytes],
++    info: ExternalDataInfo,
++    tensor_name: str,
++) -> bytes:
++    """Validate offset/length against actual file size and read data.
++
++    Layer 3 defense-in-depth (CWE-400): prevents memory exhaustion even if the
++    model was crafted via direct protobuf APIs that bypass Python parsing.
++
++    Returns the raw bytes read from the file.
++    """
++    file_size = os.fstat(data_file.fileno()).st_size
++
++    if info.offset is not None:
++        if info.offset > file_size:
++            raise ValueError(
++                f"External data offset ({info.offset}) exceeds file size ({file_size}) for tensor {tensor_name!r}"
++            )
++        data_file.seek(info.offset)
++
++    if info.length is not None:
++        read_start = info.offset if info.offset is not None else 0
++        available = file_size - read_start
++        if info.length > available:
++            raise ValueError(
++                f"External data length ({info.length}) exceeds available data ({available} bytes from offset {read_start}) for tensor {tensor_name!r}"
++            )
++        return data_file.read(info.length)
++    return data_file.read()
++
++_MAX_KEY_DISPLAY_LENGTH = 100
++
+ 
+ class ExternalDataInfo:
+     def __init__(self, tensor: TensorProto) -> None:
+@@ -18,14 +71,45 @@ class ExternalDataInfo:
+         self.checksum = None
+         self.basepath = ""
+ 
++        unknown_keys: set[str] = set()
++        unknown_key_count = 0
+         for entry in tensor.external_data:
+-            setattr(self, entry.key, entry.value)
++            # Layer 1: reject unknown keys (CWE-915 defense-in-depth)
++            if entry.key in _ALLOWED_EXTERNAL_DATA_KEYS:
++                setattr(self, entry.key, entry.value)
++            else:
++                unknown_key_count += 1
++                if len(unknown_keys) < _MAX_UNKNOWN_KEYS_IN_WARNING:
++                    truncated = entry.key[:_MAX_KEY_DISPLAY_LENGTH]
++                    if len(entry.key) > _MAX_KEY_DISPLAY_LENGTH:
++                        truncated += "..."
++                    unknown_keys.add(truncated)
++
++        if unknown_keys:
++            shown = sorted(unknown_keys)
++            extra = unknown_key_count - len(shown)
++            key_list = repr(shown)
++            if extra > 0:
++                key_list += f" and {extra} more"
++            warnings.warn(
++                f"Ignoring unknown external data key(s) {key_list} for tensor {tensor.name!r}. "
++                f"Allowed keys: {_SORTED_ALLOWED_KEYS}",
++                stacklevel=2,
++            )
+ 
+-        if self.offset:
++        if self.offset is not None:
+             self.offset = int(self.offset)
++            if self.offset < 0:
++                raise ValueError(
++                    f"External data offset must be non-negative, got {self.offset} for tensor {tensor.name!r}"
++                )
+ 
+-        if self.length:
++        if self.length is not None:
+             self.length = int(self.length)
++            if self.length < 0:
++                raise ValueError(
++                    f"External data length must be non-negative, got {self.length} for tensor {tensor.name!r}"
++                )
+ 
+ 
+ def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None:
+@@ -42,13 +126,9 @@ def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None:
+         base_dir, info.location, tensor.name
+     )
+     with open(external_data_file_path, "rb") as data_file:
+-        if info.offset:
+-            data_file.seek(info.offset)
+-
+-        if info.length:
+-            tensor.raw_data = data_file.read(info.length)
+-        else:
+-            tensor.raw_data = data_file.read()
++        tensor.raw_data = _validate_external_data_file_bounds(
++            data_file, info, tensor.name
++        )
+ 
+ 
+ def load_external_data_for_model(model: ModelProto, base_dir: str) -> None:
+-- 
+2.34.1
+
diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec
@@ -2,7 +2,7 @@
 Summary:        Tensors and Dynamic neural networks in Python with strong GPU acceleration.
 Name:           pytorch
 Version:        2.0.0
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -25,6 +25,8 @@ Patch10:        CVE-2025-55560.patch
 Patch11:        CVE-2025-3001.patch
 Patch12:        CVE-2026-24747.patch
 Patch13:        CVE-2026-0994.patch
+Patch14:        CVE-2026-34445.patch
+Patch15:        CVE-2026-34446.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc
@@ -97,6 +99,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir}
 %{_docdir}/*
 
 %changelog
+* Mon Apr 13 2026 Aninda Pradhan <v-anipradhan@microsoft.com> - 2.0.0-16
+- Patch for CVE-2026-34445, CVE-2026-34446
+
 * Thu Mar 05 2026 Kanishk Bansal <kanbansal@microsoft.com> - 2.0.0-15
 - Remove typing_extensions.override usage from CVE-2026-24747 patch to fix
   ImportError with typing_extensions 4.2.0 (override requires >= 4.4.0)
