QID 981468
QID 981468: Python (pip) Security Update for tensorflow-gpu (GHSA-mxjj-953w-2c2v)
Security update has been released for tensorflow-gpu,tensorflow,tensorflow-cpu to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
When determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes:
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/types.h#L437-L442
Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
- GHSA-mxjj-953w-2c2v -
github.com/advisories/GHSA-mxjj-953w-2c2v
CVEs related to QID 981468
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-mxjj-953w-2c2v | tensorflow |
|
|
| GHSA-mxjj-953w-2c2v | tensorflow-cpu |
|
|
| GHSA-mxjj-953w-2c2v | tensorflow-gpu |
|