InterDigitalInc / CompressAI

A PyTorch library and evaluation platform for end-to-end compression research
https://interdigitalinc.github.io/CompressAI/
BSD 3-Clause Clear License
1.19k stars 232 forks source link

Potential Security Risk in torch==1.8.1 Detected through Static Analysis #313

Open wangyueq0101 opened 1 week ago

wangyueq0101 commented 1 week ago

summary

A reachable construct was detected in torch==1.8.1 through my static analysis database. The analysis uncovered more than 5 call chains leading to this construct. Below is one example to illustrate the potential vulnerability:

Call Chain Analysis

compressai.sadl_codec.dataset2latent └── import torch └── import torch.jit └── import torch.jit._script └── import torch.jit.frontend └── import torch.jit.annotations

Patch and Code Changes

We suspect that this construct may be vulnerable because it was modified in a security-related patch. This suggests that the original code might have contained a flaw, and it may still be risky to use the affected version (torch==1.8.1) without further investigation.

Note:

This issue was identified through a static analysis of the project at commit [743680befc146a6d8ee7840285584f2ce00c3732].