patch pytorch 2.5 inference ARM64 sagemaker image (#5298)

jinyan-li1 · web-flow · commit 944c50df15ad · 2025-09-26T10:17:54.000-07:00
* patch pytorch 2.5 inference ARM64 sagemaker image
diff --git a/pytorch/inference/docker/2.5/py3/Dockerfile.ec2.arm64.cpu.os_scan_allowlist.json b/pytorch/inference/docker/2.5/py3/Dockerfile.ec2.arm64.cpu.os_scan_allowlist.json
@@ -30,4 +30,4 @@
       "reason_to_ignore": "N/A"
     }
   ]
-}
+}
diff --git a/pytorch/inference/docker/2.5/py3/Dockerfile.sagemaker.arm64.cpu.os_scan_allowlist.json b/pytorch/inference/docker/2.5/py3/Dockerfile.sagemaker.arm64.cpu.os_scan_allowlist.json
@@ -29,5 +29,67 @@
       "title": "CVE-2025-32434 - torch",
       "reason_to_ignore": "N/A"
     }
+  ],
+  "dpkg": [
+    {
+      "description": "It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.", 
+      "vulnerability_id": "CVE-2025-6297", 
+      "name": "CVE-2025-6297", 
+      "package_name": "dpkg", 
+      "package_details": {
+        "file_path": null, 
+        "name": "dpkg", 
+        "package_manager": "OS", 
+        "version": "1.21.1ubuntu2.3", 
+        "release": null
+        }, 
+        "remediation": {
+          "recommendation": {
+            "text": "None Provided"
+          }
+        }, 
+        "cvss_v3_score": 8.2, 
+        "cvss_v30_score": 0.0, 
+        "cvss_v31_score": 8.2, 
+        "cvss_v2_score": 0.0, 
+        "cvss_v3_severity": "HIGH", 
+        "source_url": "https://people.canonical.com/~ubuntu-security/cve/2025/CVE-2025-6297.html", 
+        "source": "UBUNTU_CVE", 
+        "severity": "HIGH", 
+        "status": "ACTIVE", 
+        "title": "CVE-2025-6297 - dpkg, libdpkg-perl", 
+        "reason_to_ignore": "N/A"
+    }
+  ], 
+  "libdpkg-perl": [
+    {
+      "description": "It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.", 
+      "vulnerability_id": "CVE-2025-6297", 
+      "name": "CVE-2025-6297", 
+      "package_name": "libdpkg-perl", 
+      "package_details": {
+        "file_path": null, 
+        "name": "libdpkg-perl", 
+        "package_manager": "OS", 
+        "version": "1.21.1ubuntu2.3", 
+        "release": null
+        }, 
+        "remediation": {
+          "recommendation": {
+            "text": "None Provided"
+          }
+        }, 
+        "cvss_v3_score": 8.2, 
+        "cvss_v30_score": 0.0, 
+        "cvss_v31_score": 8.2, 
+        "cvss_v2_score": 0.0, 
+        "cvss_v3_severity": "HIGH", 
+        "source_url": "https://people.canonical.com/~ubuntu-security/cve/2025/CVE-2025-6297.html", 
+        "source": "UBUNTU_CVE", 
+        "severity": "HIGH", 
+        "status": "ACTIVE", 
+        "title": "CVE-2025-6297 - dpkg, libdpkg-perl", 
+        "reason_to_ignore": "N/A"
+    }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -30,4 +30,4 @@`
`30`	`30`	`"reason_to_ignore": "N/A"`
`31`	`31`	`}`
`32`	`32`	`]`
`33`		`-}`
	`33`	`+}`