[AUTO-CHERRYPICK] Patch tensorflow for CVE-2024-35195 - branch 3.0-dev (#11962)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit b8bd2d67e3b1 · 2025-01-17T21:30:06.000-05:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/tensorflow/CVE-2024-35195.patch b/SPECS/tensorflow/CVE-2024-35195.patch
@@ -0,0 +1,108 @@
+From 645c871ad0578ac7fc79ea84e64380984423af0c Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Thu, 19 Dec 2024 06:10:36 +0000
+Subject: [PATCH] Fix CVE-2024-35195
+
+---
+ .../site-packages/requests/adapters.py        | 58 ++++++++++++++++++-
+ 1 file changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/pypi_requests/site-packages/requests/adapters.py b/pypi_requests/site-packages/requests/adapters.py
+index 78e3bb6..03cd069 100644
+--- a/pypi_requests/site-packages/requests/adapters.py
++++ b/pypi_requests/site-packages/requests/adapters.py
+@@ -8,6 +8,7 @@ and maintain connections.
+ 
+ import os.path
+ import socket  # noqa: F401
++import typing
+ 
+ from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
+ from urllib3.exceptions import HTTPError as _HTTPError
+@@ -61,12 +62,38 @@ except ImportError:
+         raise InvalidSchema("Missing dependencies for SOCKS support.")
+ 
+ 
++if typing.TYPE_CHECKING:
++    from .models import PreparedRequest
++
++
+ DEFAULT_POOLBLOCK = False
+ DEFAULT_POOLSIZE = 10
+ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+ 
+ 
++def _urllib3_request_context(
++    request: "PreparedRequest", verify: "bool | str | None"
++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
++    host_params = {}
++    pool_kwargs = {}
++    parsed_request_url = urlparse(request.url)
++    scheme = parsed_request_url.scheme.lower()
++    port = parsed_request_url.port
++    cert_reqs = "CERT_REQUIRED"
++    if verify is False:
++        cert_reqs = "CERT_NONE"
++    if isinstance(verify, str):
++        pool_kwargs["ca_certs"] = verify
++    pool_kwargs["cert_reqs"] = cert_reqs
++    host_params = {
++        "scheme": scheme,
++        "host": parsed_request_url.hostname,
++        "port": port,
++    }
++    return host_params, pool_kwargs
++
++
+ class BaseAdapter:
+     """The Base Transport Adapter"""
+ 
+@@ -328,6 +355,35 @@ class HTTPAdapter(BaseAdapter):
+ 
+         return response
+ 
++    def _get_connection(self, request, verify, proxies=None):
++        # Replace the existing get_connection without breaking things and
++        # ensure that TLS settings are considered when we interact with
++        # urllib3 HTTP Pools
++        proxy = select_proxy(request.url, proxies)
++        try:
++            host_params, pool_kwargs = _urllib3_request_context(request, verify)
++        except ValueError as e:
++            raise InvalidURL(e, request=request)
++        if proxy:
++            proxy = prepend_scheme_if_needed(proxy, "http")
++            proxy_url = parse_url(proxy)
++            if not proxy_url.host:
++                raise InvalidProxyURL(
++                    "Please check proxy URL. It is malformed "
++                    "and could be missing the host."
++                )
++            proxy_manager = self.proxy_manager_for(proxy)
++            conn = proxy_manager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++        else:
++            # Only scheme should be lower case
++            conn = self.poolmanager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++
++        return conn
++
+     def get_connection(self, url, proxies=None):
+         """Returns a urllib3 connection for the given URL. This should not be
+         called from user code, and is only exposed for use when subclassing the
+@@ -451,7 +507,7 @@ class HTTPAdapter(BaseAdapter):
+         """
+ 
+         try:
+-            conn = self.get_connection(request.url, proxies)
++            conn = self._get_connection(request, verify, proxies)
+         except LocationValueError as e:
+             raise InvalidURL(e, request=request)
+ 
+-- 
+2.45.2
+
diff --git a/SPECS/tensorflow/tensorflow.spec b/SPECS/tensorflow/tensorflow.spec
@@ -1,7 +1,7 @@
 Summary:        TensorFlow is an open source machine learning framework for everyone.
 Name:           tensorflow
 Version:        2.16.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,7 @@ Patch0:         CVE-2024-7592.patch
 Patch1:         CVE-2024-6232.patch
 Patch2:         CVE-2024-8088.patch
 Patch3:         CVE-2024-3651.patch
+Patch4:         CVE-2024-35195.patch
 BuildRequires:  bazel
 BuildRequires:  binutils
 BuildRequires:  build-essential
@@ -89,6 +90,11 @@ pushd /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external/python_x86_64-unknown-l
 patch -p1 < %{PATCH3}
 popd
 
+# Need to patch CVE-2024-35195 in the bundled python for applicable archs: `ExclusiveArch:  x86_64`
+pushd /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external/
+patch -p1 < %{PATCH4}
+popd
+
 export TF_PYTHON_VERSION=3.12
 ln -s %{_bindir}/python3 %{_bindir}/python
 
@@ -118,6 +124,9 @@ bazel --batch build  //tensorflow/tools/pip_package:build_pip_package
 %{_bindir}/toco_from_protos
 
 %changelog
+* Wed Jan 15 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.16.1-8
+- Address CVE-2024-35195 with an upstream patch
+
 * Wed Sep 25 2024 Archana Choudhary <archana1@microsoft.com> - 2.16.1-7
 - Bump release to build with new python3 to fix CVE-2024-6232, CVE-2024-8088, CVE-2024-3651
 
