QID 980057
QID 980057: Python (pip) Security Update for tensorflow-gpu (GHSA-q4qf-3fc6-8x34)
Security update has been released for tensorflow-gpu,tensorflow,tensorflow-cpu to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
To mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds:
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/reference/reduce.h#L68-L72
If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
- GHSA-q4qf-3fc6-8x34 -
github.com/advisories/GHSA-q4qf-3fc6-8x34
CVEs related to QID 980057
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-q4qf-3fc6-8x34 | tensorflow |
|
|
| GHSA-q4qf-3fc6-8x34 | tensorflow-cpu |
|
|
| GHSA-q4qf-3fc6-8x34 | tensorflow-gpu |
|