From d91a0d50425657ca46ebb02aa5901ccf43f3d69f Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Fri, 22 May 2026 18:34:35 +0530
Subject: [PATCH] [AutoPR- Security] Patch pytorch for CVE-2025-51480 [HIGH]
 (#17338)

Co-authored-by: Aditya Singh <v-aditysing@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
(cherry picked from commit 8d0e79aed3d1c06476b0731e9423b59d7866302e)
---
 SPECS/pytorch/CVE-2025-51480.patch | 113 +++++++++++++++++++++++++++++
 SPECS/pytorch/pytorch.spec         |   6 +-
 2 files changed, 118 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/pytorch/CVE-2025-51480.patch

diff --git a/SPECS/pytorch/CVE-2025-51480.patch b/SPECS/pytorch/CVE-2025-51480.patch
new file mode 100644
index 00000000000..799d12524cb
--- /dev/null
+++ b/SPECS/pytorch/CVE-2025-51480.patch
@@ -0,0 +1,113 @@
+From 19afa6e00ecfc2fc4374eff042d3eace65748eb6 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 18 May 2026 14:36:19 +0000
+Subject: [PATCH] Backport: validate external_data path in save_external_data,
+ raise ValidationError, and adjust tests accordingly
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/onnx/onnx/pull/7627.patch
+---
+ third_party/onnx/onnx/external_data_helper.py | 27 ++++++++++++++++++-
+ .../onnx/onnx/test/test_external_data.py      | 20 ++++++--------
+ 2 files changed, 34 insertions(+), 13 deletions(-)
+
+diff --git a/third_party/onnx/onnx/external_data_helper.py b/third_party/onnx/onnx/external_data_helper.py
+index 2b5ea70a..fb0513f1 100644
+--- a/third_party/onnx/onnx/external_data_helper.py
++++ b/third_party/onnx/onnx/external_data_helper.py
+@@ -2,6 +2,7 @@
+ #
+ # SPDX-License-Identifier: Apache-2.0
+ import os
++import pathlib
+ import re
+ import sys
+ import uuid
+@@ -321,12 +322,36 @@ def convert_model_from_external_data(model: ModelProto) -> None:
+ def save_external_data(tensor: TensorProto, base_path: str) -> None:
+     """
+     Writes tensor data to an external file according to information in the `external_data` field.
++    The function checks the external is a valid name and located in folder `base_path`.
+ 
+     Arguments:
+         tensor (TensorProto): Tensor object to be serialized
+         base_path: System path of a folder where tensor data is to be stored
++
++    Raises:
++        onnx.checker.ValidationError: If the external file is invalid.
+     """
+     info = ExternalDataInfo(tensor)
++
++    # Let's check the tensor location is valid.
++    location_path = pathlib.Path(info.location)
++    if location_path.is_absolute() and len(location_path.parts) > 1:
++        raise onnx_checker.ValidationError(
++            f"Tensor {tensor.name!r} is external and must not be defined "
++            f"with an absolute path such as {info.location!r}, "
++            f"base_path={base_path!r}"
++        )
++    if ".." in location_path.parts:
++        raise onnx_checker.ValidationError(
++            f"Tensor {tensor.name!r} is external and must be placed in folder "
++            f"{base_path!r}, '..' is not needed in {info.location!r}."
++        )
++    if location_path.name in (".", ".."):
++        raise onnx_checker.ValidationError(
++            f"Tensor {tensor.name!r} is external and its name "
++            f"{info.location!r} is invalid."
++        )
++
+     external_data_file_path = os.path.join(base_path, info.location)
+ 
+     # C++ _resolve_external_data_location() cannot be used on save path
+@@ -337,7 +362,7 @@ def save_external_data(tensor: TensorProto, base_path: str) -> None:
+ 
+     # Retrieve the tensor's data from raw_data or load external file
+     if not tensor.HasField("raw_data"):
+-        raise ValueError("raw_data field doesn't exist.")
++        raise onnx_checker.ValidationError("raw_data field doesn't exist.")
+ 
+     # Create file if it doesn't exist
+     if not os.path.isfile(external_data_file_path):
+diff --git a/third_party/onnx/onnx/test/test_external_data.py b/third_party/onnx/onnx/test/test_external_data.py
+index bb14d279..566992ff 100644
+--- a/third_party/onnx/onnx/test/test_external_data.py
++++ b/third_party/onnx/onnx/test/test_external_data.py
+@@ -205,9 +205,13 @@ class TestLoadExternalDataSingleFile(TestLoadExternalDataBase):
+         attribute_tensor = new_model.graph.node[0].attribute[0].t
+         np.testing.assert_allclose(to_array(attribute_tensor), self.attribute_value)
+ 
+-    @parameterized.parameterized.expand(itertools.product((True, False), (True, False)))
++    @parameterized.parameterized.expand(
++        itertools.product(
++            (True, False),
++        )
++    )
+     def test_save_external_invalid_single_file_data_and_check(
+-        self, use_absolute_path: bool, use_model_path: bool
++        self, use_absolute_path: bool
+     ) -> None:
+         model = onnx.load_model(self.model_filename, self.serialization_format)
+ 
+@@ -240,16 +244,8 @@ class TestLoadExternalDataSingleFile(TestLoadExternalDataBase):
+             location=traversal_external_data_location,
+         )
+ 
+-        onnx.save_model(model, new_model_filepath, self.serialization_format)
+-        if use_model_path:
+-            with self.assertRaises(onnx.checker.ValidationError):
+-                _ = onnx.load_model(new_model_filepath, self.serialization_format)
+-        else:
+-            onnx_model = onnx.load_model(
+-                new_model_filepath, self.serialization_format, load_external_data=False
+-            )
+-            with self.assertRaises(onnx.checker.ValidationError):
+-                load_external_data_for_model(onnx_model, external_data_dir)
++        with self.assertRaises(onnx.checker.ValidationError):
++            onnx.save_model(model, new_model_filepath, self.serialization_format)
+ 
+ 
+ @parameterized.parameterized_class(
+-- 
+2.45.4
+
diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec
index 75d285304b9..20d71cdd152 100644
--- a/SPECS/pytorch/pytorch.spec
+++ b/SPECS/pytorch/pytorch.spec
@@ -2,7 +2,7 @@
 Summary:        Tensors and Dynamic neural networks in Python with strong GPU acceleration.
 Name:           pytorch
 Version:        2.2.2
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -40,6 +40,7 @@ Patch15:        CVE-2026-24747.patch
 Patch16:        CVE-2026-0994.patch
 Patch17:        CVE-2026-34445.patch
 Patch18:        CVE-2026-34446.patch
+Patch19:        CVE-2025-51480.patch
 
 %description
 PyTorch is a Python package that provides two high-level features:
@@ -101,6 +102,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir}
 %{_docdir}/*
 
 %changelog
+* Mon May 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.2.2-15
+- Patch for CVE-2025-51480
+
 * Fri Apr 10 2026 Aninda Pradhan <v-anipradhan@microsoft.com> - 2.2.2-14
 - Updated patch CVE-2025-55560 to include missing function definition is_sparse_any