[MEDIUM] Patch pytorch for CVE-2025-2953

[archana25-ms]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?
Patch pytorch for CVE-2025-2953

Change Log

• SPECS/pytorch/CVE-2025-2953.patch
• SPECS/pytorch/pytorch.spec

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-2953

Test Methodology

• Pipeline build id: xxxx

[kgodara912]

The upstream reference has a test case for the scenario exploited to avoid future occurrences of the issue. Any reason for omitting that as we have the test file present in Azure Linux distribution?

Buddy Build

[archana25-ms]

The upstream reference has a test case for the scenario exploited to avoid future occurrences of the issue. Any reason for omitting that as we have the test file present in Azure Linux distribution?

Buddy Build

I had verified the rpm contents to see that we donot ship test_mkldnn.py in Azure Linux

Also, Astrolabe's deepscan results doesn't show the scan results for test file.
Hence have omitted the patch for test file.

[kgodara912]

That is correct that we do not ship the test files, but we do test internally by running %check section in our spec files. The purpose of test file changes is to ensure that tomorrow someone should not change the same code and introduce issue again. Test files are there for correctness of source code and not for shipments. Please include test files for better testing coverage.

[kgodara912]

Buddy build. It seems that patch doesn't apply cleanly on 2.0 dev branch. Please check if the test file change is trivial to fix, else we can revert back to original patch for CVE fix for 2.0-dev.

time="2025-05-12T15:40:48Z" level=debug msg="+ /usr/lib/rpm/rpmuncompress /usr/src/mariner/SOURCES/CVE-2025-2953.patch"
time="2025-05-12T15:40:48Z" level=debug msg="+ /bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f"
time="2025-05-12T15:40:48Z" level=debug msg="1 out of 1 hunk FAILED -- saving rejects to file test/test_mkldnn.py.rej"

[archana25-ms]

Buddy build. It seems that patch doesn't apply cleanly on 2.0 dev branch. Please check if the test file change is trivial to fix, else we can revert back to original patch for CVE fix for 2.0-dev.

time="2025-05-12T15:40:48Z" level=debug msg="+ /usr/lib/rpm/rpmuncompress /usr/src/mariner/SOURCES/CVE-2025-2953.patch"
time="2025-05-12T15:40:48Z" level=debug msg="+ /bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f"
time="2025-05-12T15:40:48Z" level=debug msg="1 out of 1 hunk FAILED -- saving rejects to file test/test_mkldnn.py.rej"

Modified patch. Please verify

[kgodara912]

Buddy build. The patch matches with reference patch. LGTM.

[Kanishk-Bansal]

• patch applied during the build (check rpm.log)
• patch include an upstream reference
• PR has security tag