Bug#1070379: pytorch: CVE-2024-31580 CVE-2024-31583 CVE-2024-31584

[Moritz Mühlenhoff <jmm@inutil.org>]

Source: pytorch
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for pytorch.

CVE-2024-31580[0]:
| PyTorch before v2.2.0 was discovered to contain a heap buffer
| overflow vulnerability in the component
| /runtime/vararg_functions.cpp. This vulnerability allows attackers
| to cause a Denial of Service (DoS) via a crafted input.

https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81

CVE-2024-31583[1]:
| Pytorch before version v2.2.0 was discovered to contain a use-after-
| free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.

https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2

CVE-2024-31584[2]:
| Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via
| the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.

https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-31580
    https://www.cve.org/CVERecord?id=CVE-2024-31580
[1] https://security-tracker.debian.org/tracker/CVE-2024-31583
    https://www.cve.org/CVERecord?id=CVE-2024-31583
[2] https://security-tracker.debian.org/tracker/CVE-2024-31584
    https://www.cve.org/CVERecord?id=CVE-2024-31584

Please adjust the affected versions in the BTS as needed.