skip smddp and smppy tests, allowlist protobuf CVE 77740 - blocked by sm pytorch training dep

jinyan-li1 · jinyan-li1 · commit 5c3b37e2a6d2 · 2025-08-21T16:25:34.000-07:00
diff --git a/pytorch/training/docker/2.8/py3/Dockerfile.sagemaker.cpu.py_scan_allowlist.json b/pytorch/training/docker/2.8/py3/Dockerfile.sagemaker.cpu.py_scan_allowlist.json
@@ -0,0 +1,3 @@
+{
+  "77740": "Affected versions of this package are vulnerable to a potential Denial of Service (DoS) attack due to unbounded recursion when parsing untrusted Protocol Buffers data. The pure-Python implementation fails to enforce recursion depth limits when processing recursive groups, recursive messages, or a series of SGROUP tags, leading to stack overflow conditions that can crash the application by exceeding Python's recursion limit."
+}
diff --git a/pytorch/training/docker/2.8/py3/cu129/Dockerfile.sagemaker.gpu.py_scan_allowlist.json b/pytorch/training/docker/2.8/py3/cu129/Dockerfile.sagemaker.gpu.py_scan_allowlist.json
@@ -0,0 +1,3 @@
+{
+  "77740": "Affected versions of this package are vulnerable to a potential Denial of Service (DoS) attack due to unbounded recursion when parsing untrusted Protocol Buffers data. The pure-Python implementation fails to enforce recursion depth limits when processing recursive groups, recursive messages, or a series of SGROUP tags, leading to stack overflow conditions that can crash the application by exceeding Python's recursion limit."
+}
diff --git a/test/sagemaker_tests/pytorch/training/conftest.py b/test/sagemaker_tests/pytorch/training/conftest.py
@@ -500,7 +500,12 @@ def skip_smddataparallel_test(
     For each currency release, we can skip SMDDP tests if the binary does not exist.
     However, when the SMDDP binaries are added, be sure to fix the test logic such that the tests are not skipped.
     """
-    skip_dict = {"==2.0.*": ["cu121"], ">=2.6,<2.7.1": ["cu126"], ">=2.7.1,<2.8": ["cu128"]}
+    skip_dict = {
+        "==2.0.*": ["cu121"],
+        ">=2.6,<2.7.1": ["cu126"],
+        ">=2.7.1,<2.8": ["cu128"],
+        ">=2.8,<2.9": ["cu129"],
+    }
     if _validate_pytorch_framework_version(
         request, processor, ecr_image, "skip_smddataparallel_test", skip_dict
     ):
@@ -516,7 +521,7 @@ def skip_smppy_test(
     """For each currency release, we can skip smppy tests if the Profiler binary does not exist.
     However, when the Profiler binaries are added, be sure to fix the test logic such that the tests are not skipped.
     """
-    skip_dict = {">=2.7.1,<2.8": ["cpu", "cu128"]}
+    skip_dict = {">=2.7.1,<2.8": ["cpu", "cu128"], ">=2.8,<2.9": ["cpu", "cu129"]}
     if _validate_pytorch_framework_version(
         request, processor, ecr_image, "skip_smppy_test", skip_dict
     ):

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ "77740": "Affected versions of this package are vulnerable to a potential Denial of Service (DoS) attack due to unbounded recursion when parsing untrusted Protocol Buffers data. The pure-Python implementation fails to enforce recursion depth limits when processing recursive groups, recursive messages, or a series of SGROUP tags, leading to stack overflow conditions that can crash the application by exceeding Python's recursion limit."`
	`3`	`+}`