QID 981469
QID 981469: Python (pip) Security Update for tensorflow-gpu (GHSA-h6fg-mjxg-hqq4)
Security update has been released for tensorflow-gpu,tensorflow,tensorflow-cpu to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
The `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments:
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/util/work_sharder.h#L59-L60
However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used:
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/random_op.cc#L204-L205
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/random_op.cc#L317-L318
In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
- GHSA-h6fg-mjxg-hqq4 -
github.com/advisories/GHSA-h6fg-mjxg-hqq4
CVEs related to QID 981469
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-h6fg-mjxg-hqq4 | tensorflow |
|
|
| GHSA-h6fg-mjxg-hqq4 | tensorflow-cpu |
|
|
| GHSA-h6fg-mjxg-hqq4 | tensorflow-gpu |
|