azurelinux-security
diff --git a/‎SPECS/keras/CVE-2025-8747.patch‎
Lines changed: 378 additions & 0 deletions b/‎SPECS/keras/CVE-2025-8747.patch‎
Lines changed: 378 additions & 0 deletions
@@ -0,0 +1,378 @@
+From eec0ac4143c01736700e50c87112d8687e1cc151 Mon Sep 17 00:00:00 2001
+From: hertschuh <[email protected]>
+Date: Mon, 23 Jun 2025 18:36:47 -0700
+Subject: [PATCH 1/2] Disable loading functions within deserialization.
+ (#21412)
+
+Upstream source link: https://github.com/keras-team/keras/commit/3d6022ab4b79367911cede68a550bfd5b61e2f6d.patch
+
+Loading files while loading a model is not allowed.
+---
+ keras/src/saving/serialization_lib.py | 35 +++++++++++++++++++++------
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/keras/src/saving/serialization_lib.py b/keras/src/saving/serialization_lib.py
+index ed9f10b..1c47b70 100644
+--- a/keras/src/saving/serialization_lib.py
++++ b/keras/src/saving/serialization_lib.py
+@@ -18,14 +18,27 @@ from keras.src.utils.module_utils import tensorflow as tf
+ PLAIN_TYPES = (str, int, float, bool)
+ 
+ # List of Keras modules with built-in string representations for Keras defaults
+-BUILTIN_MODULES = (
+-    "activations",
+-    "constraints",
+-    "initializers",
+-    "losses",
+-    "metrics",
+-    "optimizers",
+-    "regularizers",
++BUILTIN_MODULES = frozenset(
++    {
++        "activations",
++        "constraints",
++        "initializers",
++        "losses",
++        "metrics",
++        "optimizers",
++        "regularizers",
++    }
++)
++
++LOADING_APIS = frozenset(
++    {
++        "keras.models.load_model",
++        "keras.preprocessing.image.load_img",
++        "keras.saving.load_model",
++        "keras.saving.load_weights",
++        "keras.utils.get_file",
++        "keras.utils.load_img",
++    }
+ )
+ 
+ 
+@@ -765,6 +778,12 @@ def _retrieve_class_or_fn(
+         if module == "keras" or module.startswith("keras."):
+             api_name = module + "." + name
+ 
++            if api_name in LOADING_APIS:
++                raise ValueError(
++                    f"Cannot deserialize `{api_name}`, loading functions are "
++                    "not allowed during deserialization"
++                )
++
+             obj = api_export.get_symbol_from_name(api_name)
+             if obj is not None:
+                 return obj
+-- 
+2.34.1
+
+
+From d64692c8d18ea3a4a253159b3f25bc6c06cec6be Mon Sep 17 00:00:00 2001
+From: hertschuh <[email protected]>
+Date: Sun, 29 Jun 2025 10:32:40 -0700
+Subject: [PATCH 2/2] Only allow deserialization of `KerasSaveable`s by module
+ and name. (#21429)
+
+Upstream source link: https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858.patch
+Backported by <[email protected]> for azurelinux
+
+Arbitrary functions and classes are not allowed.
+
+- Made `Operation` extend `KerasSaveable`, this required moving imports to avoid circular imports
+- `Layer` no longer need to extend `KerasSaveable` directly
+- Made feature space `Cross` and `Feature` extend `KerasSaveable`
+- Also dissallow public function `enable_unsafe_deserialization`
+---
+ keras/src/layers/layer.py                     |  3 +-
+ .../src/layers/preprocessing/feature_space.py | 11 ++++--
+ keras/src/legacy/saving/legacy_h5_format.py   |  5 ++-
+ keras/src/legacy/saving/saving_utils.py       |  8 +++--
+ keras/src/ops/operation.py                    |  6 +++-
+ keras/src/saving/saving_lib.py                | 35 +++++++++++++++----
+ keras/src/saving/serialization_lib.py         |  9 ++++-
+ 7 files changed, 61 insertions(+), 16 deletions(-)
+
+diff --git a/keras/src/layers/layer.py b/keras/src/layers/layer.py
+index 7d67339..e103cdb 100644
+--- a/keras/src/layers/layer.py
++++ b/keras/src/layers/layer.py
+@@ -36,7 +36,6 @@ from keras.src.distribution import distribution_lib
+ from keras.src.layers import input_spec
+ from keras.src.metrics.metric import Metric
+ from keras.src.ops.operation import Operation
+-from keras.src.saving.keras_saveable import KerasSaveable
+ from keras.src.utils import python_utils
+ from keras.src.utils import summary_utils
+ from keras.src.utils import traceback_utils
+@@ -57,7 +56,7 @@ else:
+ 
+ 
+ @keras_export(["keras.Layer", "keras.layers.Layer"])
+-class Layer(BackendLayer, Operation, KerasSaveable):
++class Layer(BackendLayer, Operation):
+     """This is the class from which all layers inherit.
+ 
+     A layer is a callable object that takes as input one or more tensors and
+diff --git a/keras/src/layers/preprocessing/feature_space.py b/keras/src/layers/preprocessing/feature_space.py
+index f66b032..a02dafc 100644
+--- a/keras/src/layers/preprocessing/feature_space.py
++++ b/keras/src/layers/preprocessing/feature_space.py
+@@ -5,12 +5,13 @@ from keras.src.api_export import keras_export
+ from keras.src.layers.layer import Layer
+ from keras.src.saving import saving_lib
+ from keras.src.saving import serialization_lib
++from keras.src.saving.keras_saveable import KerasSaveable
+ from keras.src.utils import backend_utils
+ from keras.src.utils.module_utils import tensorflow as tf
+ from keras.src.utils.naming import auto_name
+ 
+ 
+-class Cross:
++class Cross(KerasSaveable):
+     def __init__(self, feature_names, crossing_dim, output_mode="one_hot"):
+         if output_mode not in {"int", "one_hot"}:
+             raise ValueError(
+@@ -22,6 +23,9 @@ class Cross:
+         self.crossing_dim = crossing_dim
+         self.output_mode = output_mode
+ 
++    def _obj_type(self):
++        return "Cross"
++
+     @property
+     def name(self):
+         return "_X_".join(self.feature_names)
+@@ -38,7 +42,7 @@ class Cross:
+         return cls(**config)
+ 
+ 
+-class Feature:
++class Feature(KerasSaveable):
+     def __init__(self, dtype, preprocessor, output_mode):
+         if output_mode not in {"int", "one_hot", "float"}:
+             raise ValueError(
+@@ -54,6 +58,9 @@ class Feature:
+         self.preprocessor = preprocessor
+         self.output_mode = output_mode
+ 
++    def _obj_type(self):
++        return "Feature"
++
+     def get_config(self):
+         return {
+             "dtype": self.dtype,
+diff --git a/keras/src/legacy/saving/legacy_h5_format.py b/keras/src/legacy/saving/legacy_h5_format.py
+index 05f7cec..24b89bf 100644
+--- a/keras/src/legacy/saving/legacy_h5_format.py
++++ b/keras/src/legacy/saving/legacy_h5_format.py
+@@ -6,7 +6,6 @@ import numpy as np
+ from absl import logging
+ 
+ from keras.src import backend
+-from keras.src import optimizers
+ from keras.src.backend.common import global_state
+ from keras.src.legacy.saving import json_utils
+ from keras.src.legacy.saving import saving_options
+@@ -161,6 +160,8 @@ def load_model_from_hdf5(filepath, custom_objects=None, compile=True):
+             # Set optimizer weights.
+             if "optimizer_weights" in f:
+                 try:
++                    from keras.src import optimizers
++
+                     if isinstance(model.optimizer, optimizers.Optimizer):
+                         model.optimizer.build(model._trainable_variables)
+                     else:
+@@ -249,6 +250,8 @@ def save_optimizer_weights_to_hdf5_group(hdf5_group, optimizer):
+         hdf5_group: HDF5 group.
+         optimizer: optimizer instance.
+     """
++    from keras.src import optimizers
++
+     if isinstance(optimizer, optimizers.Optimizer):
+         symbolic_weights = optimizer.variables
+     else:
+diff --git a/keras/src/legacy/saving/saving_utils.py b/keras/src/legacy/saving/saving_utils.py
+index aec1078..525cd3d 100644
+--- a/keras/src/legacy/saving/saving_utils.py
++++ b/keras/src/legacy/saving/saving_utils.py
+@@ -4,11 +4,8 @@ import threading
+ from absl import logging
+ 
+ from keras.src import backend
+-from keras.src import layers
+ from keras.src import losses
+ from keras.src import metrics as metrics_module
+-from keras.src import models
+-from keras.src import optimizers
+ from keras.src import tree
+ from keras.src.legacy.saving import serialization
+ from keras.src.saving import object_registration
+@@ -49,6 +46,9 @@ def model_from_config(config, custom_objects=None):
+     global MODULE_OBJECTS
+ 
+     if not hasattr(MODULE_OBJECTS, "ALL_OBJECTS"):
++        from keras.src import layers
++        from keras.src import models
++
+         MODULE_OBJECTS.ALL_OBJECTS = layers.__dict__
+         MODULE_OBJECTS.ALL_OBJECTS["InputLayer"] = layers.InputLayer
+         MODULE_OBJECTS.ALL_OBJECTS["Functional"] = models.Functional
+@@ -129,6 +129,8 @@ def compile_args_from_training_config(training_config, custom_objects=None):
+         custom_objects = {}
+ 
+     with object_registration.CustomObjectScope(custom_objects):
++        from keras.src import optimizers
++
+         optimizer_config = training_config["optimizer_config"]
+         optimizer = optimizers.deserialize(optimizer_config)
+         # Ensure backwards compatibility for optimizers in legacy H5 files
+diff --git a/keras/src/ops/operation.py b/keras/src/ops/operation.py
+index 10b79d5..6c738f3 100644
+--- a/keras/src/ops/operation.py
++++ b/keras/src/ops/operation.py
+@@ -7,13 +7,14 @@ from keras.src import tree
+ from keras.src.api_export import keras_export
+ from keras.src.backend.common.keras_tensor import any_symbolic_tensors
+ from keras.src.ops.node import Node
++from keras.src.saving.keras_saveable import KerasSaveable
+ from keras.src.utils import python_utils
+ from keras.src.utils import traceback_utils
+ from keras.src.utils.naming import auto_name
+ 
+ 
+ @keras_export("keras.Operation")
+-class Operation:
++class Operation(KerasSaveable):
+     def __init__(self, dtype=None, name=None):
+         if name is None:
+             name = auto_name(self.__class__.__name__)
+@@ -272,6 +273,9 @@ class Operation:
+         else:
+             return values
+ 
++    def _obj_type(self):
++        return "Operation"
++
+     # Hooks for backend layer classes
+     def _post_build(self):
+         """Can be overridden for per backend post build actions."""
+diff --git a/keras/src/saving/saving_lib.py b/keras/src/saving/saving_lib.py
+index c16d2ff..e71e33b 100644
+--- a/keras/src/saving/saving_lib.py
++++ b/keras/src/saving/saving_lib.py
+@@ -12,14 +12,9 @@ import numpy as np
+ 
+ from keras.src import backend
+ from keras.src.backend.common import global_state
+-from keras.src.layers.layer import Layer
+-from keras.src.losses.loss import Loss
+-from keras.src.metrics.metric import Metric
+-from keras.src.optimizers.optimizer import Optimizer
+ from keras.src.saving.serialization_lib import ObjectSharingScope
+ from keras.src.saving.serialization_lib import deserialize_keras_object
+ from keras.src.saving.serialization_lib import serialize_keras_object
+-from keras.src.trainers.compile_utils import CompileMetrics
+ from keras.src.utils import file_utils
+ from keras.src.utils import naming
+ from keras.src.version import __version__ as keras_version
+@@ -773,32 +768,60 @@ def get_attr_skiplist(obj_type):
+     skiplist = [
+         "_self_unconditional_dependency_names",
+     ]
++    if obj_type == "Operation":
++        from keras.src.ops.operation import Operation
++
++        ref_obj = Operation()
++        skipset.update(dir(ref_obj))
+     if obj_type == "Layer":
++        from keras.src.layers.layer import Layer
++
+         ref_obj = Layer()
+         skiplist += dir(ref_obj)
+     elif obj_type == "Functional":
++        from keras.src.layers.layer import Layer
++
+         ref_obj = Layer()
+         skiplist += dir(ref_obj) + ["operations", "_operations"]
+     elif obj_type == "Sequential":
++        from keras.src.layers.layer import Layer
++
+         ref_obj = Layer()
+         skiplist += dir(ref_obj) + ["_functional"]
+     elif obj_type == "Metric":
++        from keras.src.metrics.metric import Metric
++        from keras.src.trainers.compile_utils import CompileMetrics
++
+         ref_obj_a = Metric()
+         ref_obj_b = CompileMetrics([], [])
+         skiplist += dir(ref_obj_a) + dir(ref_obj_b)
+     elif obj_type == "Optimizer":
++        from keras.src.optimizers.optimizer import Optimizer
++
+         ref_obj = Optimizer(1.0)
+         skiplist += dir(ref_obj)
+         skiplist.remove("variables")
+     elif obj_type == "Loss":
++        from keras.src.losses.loss import Loss
++
+         ref_obj = Loss()
+         skiplist += dir(ref_obj)
++    elif obj_type == "Cross":
++        from keras.src.layers.preprocessing.feature_space import Cross
++
++        ref_obj = Cross((), 1)
++        skipset.update(dir(ref_obj))
++    elif obj_type == "Feature":
++        from keras.src.layers.preprocessing.feature_space import Feature
++
++        ref_obj = Feature("int32", lambda x: x, "int")
++        skipset.update(dir(ref_obj))
+     else:
+         raise ValueError(
+             f"get_attr_skiplist got invalid {obj_type=}. "
+             "Accepted values for `obj_type` are "
+             "['Layer', 'Functional', 'Sequential', 'Metric', "
+-            "'Optimizer', 'Loss']"
++            "'Optimizer', 'Loss', 'Cross', 'Feature']"
+         )
+ 
+     global_state.set_global_attribute(
+diff --git a/keras/src/saving/serialization_lib.py b/keras/src/saving/serialization_lib.py
+index 1c47b70..e680d04 100644
+--- a/keras/src/saving/serialization_lib.py
++++ b/keras/src/saving/serialization_lib.py
+@@ -12,6 +12,7 @@ from keras.src import backend
+ from keras.src.api_export import keras_export
+ from keras.src.backend.common import global_state
+ from keras.src.saving import object_registration
++from keras.src.saving.keras_saveable import KerasSaveable
+ from keras.src.utils import python_utils
+ from keras.src.utils.module_utils import tensorflow as tf
+ 
+@@ -32,6 +33,7 @@ BUILTIN_MODULES = frozenset(
+ 
+ LOADING_APIS = frozenset(
+     {
++        "keras.config.enable_unsafe_deserialization",
+         "keras.models.load_model",
+         "keras.preprocessing.image.load_img",
+         "keras.saving.load_model",
+@@ -815,8 +817,13 @@ def _retrieve_class_or_fn(
+             try:
+                 mod = importlib.import_module(module)
+                 obj = vars(mod).get(name, None)
+-                if obj is not None:
++                if isinstance(obj, type) and issubclass(obj, KerasSaveable):
+                     return obj
++                else:
++                    raise ValueError(
++                        f"Could not deserialize '{module}.{name}' because "
++                        "it is not a KerasSaveable subclass"
++                    )
+             except ModuleNotFoundError:
+                 raise TypeError(
+                     f"Could not deserialize {obj_type} '{name}' because "
+-- 
+2.34.1
+