Bug#1070379: pytorch: CVE-2024-31580 CVE-2024-31583 CVE-2024-31584
Source: pytorch
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for pytorch.
CVE-2024-31580[0]:
| PyTorch before v2.2.0 was discovered to contain a heap buffer
| overflow vulnerability in the component
| /runtime/vararg_functions.cpp. This vulnerability allows attackers
| to cause a Denial of Service (DoS) via a crafted input.
https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81
CVE-2024-31583[1]:
| Pytorch before version v2.2.0 was discovered to contain a use-after-
| free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.
https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
CVE-2024-31584[2]:
| Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via
| the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.
https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-31580
https://www.cve.org/CVERecord?id=CVE-2024-31580
[1] https://security-tracker.debian.org/tracker/CVE-2024-31583
https://www.cve.org/CVERecord?id=CVE-2024-31583
[2] https://security-tracker.debian.org/tracker/CVE-2024-31584
https://www.cve.org/CVERecord?id=CVE-2024-31584
Please adjust the affected versions in the BTS as needed.
Reply to: