Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump min torch to 1.13.1 to mitigate CVE-2022-45907 unsafe usage of eval #8296

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Bump min torch to 1.13.1 to mitigate CVE-2022-45907 unsafe usage of eval #8296

wants to merge 1 commit into from
+54 −561

Conversation

jamesobutler
Copy link
Contributor

@jamesobutler jamesobutler commented Jan 12, 2025
edited
Loading

Description

This bumps the minimum required torch version from 1.9.0 to 1.13.1.

See GHSA-47fc-vmwq-366v for more details such as the highest severity scoring of "Critical".

Maintainers will need to update the required status checks for the dev branch to:

  • Remove min-dep-pytorch (1.10.2)
  • Remove min-dep-pytorch (1.11.0)
  • Remove min-dep-pytorch (1.12.1)
  • Remove min-dep-pytorch (1.13)
  • Add min-dep-pytorch (1.13.1)

cc: @KumoLiu

Types of changes

  • Breaking change (fix or new feature that would cause existing functionality to change). (drop of older torch versions)
  • Integration tests passed locally by running ./runtests.sh -f -u --net --coverage.
  • Quick tests passed locally by running ./runtests.sh --quick --unittests --disttests.

@jamesobutler jamesobutler force-pushed the bump-torch-minimum branch 2 times, most recently from 4a4f746 to f406fed Compare January 12, 2025 23:15
@jamesobutler jamesobutler changed the title Bump torch to 1.13.1 to mitigate CVE-2022-45907 unsafe usage of eval Bump min torch to 1.13.1 to mitigate CVE-2022-45907 unsafe usage of eval Jan 12, 2025
@KumoLiu KumoLiu requested review from ericspod and Nic-Ma January 13, 2025 02:56
@KumoLiu
Copy link
Contributor

KumoLiu commented Jan 13, 2025

Thanks @jamesobutler for the contribution!

The PR overall looks good to me. @ericspod and @Nic-Ma, do you have any concern on this pr. For vulnerability reasons, we should indeed drop the pre-1.13.1 version of pytorch, do you have any concerns, because the PR will introduce some compatibility issues and remove some support for earlier versions. If you guys have no problems, I'll help further refine this PR as well as the updated Blossom CI (GPU testing happens over there).
Let me know if you have any concern here! Thanks.

@ericspod
Copy link
Member

Thanks @jamesobutler for the contribution!

The PR overall looks good to me. @ericspod and @Nic-Ma, do you have any concern on this pr. For vulnerability reasons, we should indeed drop the pre-1.13.1 version of pytorch, do you have any concerns, because the PR will introduce some compatibility issues and remove some support for earlier versions. If you guys have no problems, I'll help further refine this PR as well as the updated Blossom CI (GPU testing happens over there). Let me know if you have any concern here! Thanks.

Thanks as well @jamesobutler. I think we should discuss internally what this implies because it's dropping support for a number of Pytorch versions. We should be refining what our policy is about when to drop versions, we do this for Python in that we drop non-supported versions but there's no sunset period defined by Pytorch for theirs (as far as I know). Honestly we could probably drop all of Pytorch 1.* and very few users would be impacted. Let's keep working on this either way.

@jamesobutler
Copy link
Contributor Author

jamesobutler commented Jan 13, 2025
edited
Loading

but there's no sunset period defined by Pytorch for theirs (as far as I know).

@ericspod Reviewing the PyTorch release history, the last time maintainers released a patch release out-of-order was when they released version 1.8.2 on August 17th 2021 which was after version 1.9.0 which was released June 15th 2021. This was part of the "PyTorch Enterprise Support Program". However that program only lasted about a 1.5 years as on November 10th 2022 they ended it. See this blog post https://pytorch.org/blog/pytorch-enterprise-support-update/. So therefore PyTorch versions become unmaintained whenever a new major/minor release version comes out. They do not have LTS support or issue patch releases for multiple minor versions.

Honestly we could probably drop all of Pytorch 1.* and very few users would be impacted. Let's keep working on this either way.

I issued this PR to bump the torch version to mitigate "Critical" scored vulnerability issues and see how the monai team would respond. If this was going to be integrated, I was planning to issue a follow-up PR with the proposal to bump the minimum torch version to version 2.2.0 to mitigate "High" scored vulnerabilities (CVE-2024-31580, CVE-2024-31583). It would be my recommendation that monai not use torch versions with vulnerabilities listed as High or Critical. Once the minimum torch version is set to 2.2.0 there would be no more High or Critical published vulnerabilities (or any vulnerabilities listed at any scoring level for that matter) affecting the torch versions used by monai. See Snyk's reporting of each torch version:

https://security.snyk.io/package/pip/torch
{5902F2D5-4381-4F24-A297-55893217D354}

Other unrelated considerations to keep in mind if bumping minimum torch version beyond 2.2.0:
torch 2.3.0 drops binary publishing for macOS x64.
torch 2.3.0 is the first version that is compatible with both numpy 1 and numpy 2 (provides the most flexibility with other monai dependencies)

@ericspod ericspod mentioned this pull request Jan 17, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericspod ericspod Awaiting requested review from ericspod

@Nic-Ma Nic-Ma Awaiting requested review from Nic-Ma

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jamesobutler @KumoLiu @ericspod