Skip to content

[AutoPR- Security] Patch keras for CVE-2025-12638 [HIGH] #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: fasttrack/3.0
Choose a base branch
from
Draft

[AutoPR- Security] Patch keras for CVE-2025-12638 [HIGH] #137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions SPECS/keras/CVE-2025-12638.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
From d275df9ef4a873f8d979fb4d27753e1369a155f2 Mon Sep 17 00:00:00 2001
From: AllSpark <[email protected]>
Date: Mon, 8 Dec 2025 06:05:01 +0000
Subject: [PATCH] Use filter="data" option of TarFile.extractall and add path
filtering for zip archives; share extraction code between file_utils and
saving_lib

Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
Upstream-reference: AI Backport of https://github.com/keras-team/keras/commit/47fcb397ee4caffd5a75efd1fa3067559594e95.patch
---
keras/src/saving/saving_lib.py | 1 +
1 file changed, 1 insertion(+)

diff --git a/keras/src/saving/saving_lib.py b/keras/src/saving/saving_lib.py
index 1668489..f4d6fa0 100644
--- a/keras/src/saving/saving_lib.py
+++ b/keras/src/saving/saving_lib.py
@@ -556,6 +556,7 @@ class DiskIOStore:
if self.archive:
self.tmp_dir = get_temp_dir()
if self.mode == "r":
+ # Extract archive using path filtering to prevent unsafe paths
file_utils.extract_open_archive(self.archive, self.tmp_dir)
self.working_dir = file_utils.join(
self.tmp_dir, self.root_path
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/keras/keras.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Summary: Keras is a high-level neural networks API.
Name: keras
Version: 3.3.3
Release: 5%{?dist}
Release: 6%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -16,6 +16,7 @@ Patch01: CVE-2025-1550.patch
Patch02: CVE-2025-8747.patch
Patch03: CVE-2025-9905.patch
Patch4: CVE-2025-12060.patch
Patch5: CVE-2025-12638.patch

# Fix for CVE-2025-9906 included as part of CVE-2025-8747 and kept here as nopatch
# and commented out, because from patch command perspective, these files
Expand Down Expand Up @@ -80,6 +81,9 @@ python3 pip_build.py --install


%changelog
* Mon Dec 08 2025 Azure Linux Security Servicing Account <[email protected]> - 3.3.3-6
- Patch for CVE-2025-12638

* Fri Oct 31 2025 Azure Linux Security Servicing Account <[email protected]> - 3.3.3-5
- Patch for CVE-2025-12060

Expand Down
Loading