ghsa

### Impact > _What kind of vulnerability is it? Who is impacted?_ The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with (arbitrary) excessive size value, which can either exhaust available memory or crash the whole program. When using `github.com/gagliardetto/binary` to parse unchecked (or wrong type of) data from untrusted sources of input (e.g. the blockchain) into slices, it's possible to allocate memory with excessive size. When `dec.Decode(&val)` method is used to parse data into a structure that is or contains slices of values, the length of the slice was previously read directly from the data itself without any checks on the size of it, and then a slice was allocated. This could lead to an overflow and an allocation of memory with excessive size value. Example: ```go package main import ( "github.com/gagliardetto/binary" // any version before v0.7.1 is vulnerable "log" ) type MyStruct struct { Field1 []byte // fi...

### Impact When `tf.random.gamma` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf arg_0=tf.random.uniform(shape=(4,), dtype=tf.int32, maxval=65536) arg_1=tf.random.uniform(shape=(4, 4), dtype=tf.float64, maxval=None) arg_2=tf.random.uniform(shape=(4, 4, 4, 4, 4), dtype=tf.float64, maxval=None) arg_3=tf.float64 arg_4=48 arg_5='None' tf.random.gamma(shape=arg_0, alpha=arg_1, beta=arg_2, dtype=arg_3, seed=arg_4, name=arg_5) ``` ### Patches We have patched the issue in GitHub commit [552bfced6ce4809db5f3ca305f60ff80dd40c5a3](https://github.com/tensorflow/tensorflow/commit/552bfced6ce4809db5f3ca305f60ff80dd40c5a3). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tens...

### Impact When [`tensorflow::full_type::SubstituteFromAttrs`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc) receives a `FullTypeDef& t` that is not exactly three args, it triggers a `CHECK`-fail instead of returning a status. ```cpp Status SubstituteForEach(AttrMap& attrs, FullTypeDef& t) { DCHECK_EQ(t.args_size(), 3); const auto& cont = t.args(0); const auto& tmpl = t.args(1); const auto& t_var = t.args(2); ``` ### Patches We have patched the issue in GitHub commit [6104f0d4091c260ce9352f9155f7e9b725eab012](https://github.com/tensorflow/tensorflow/commit/6104f0d4091c260ce9352f9155f7e9b725eab012). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more infor...

### Impact Read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract's B state, the state will be altered for contract B as if the call was not made in the read-only mode. This can lead to some effects not designed by the original smart contracts programmers. ### Patches Patch v1.3.35 or higher ### Workarounds No workaround ### References For future reference and understanding of this issue, anyone can check this integration test https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452 that proves the fix and prevents a future code regression. ### For more information If you have any questions or comments about this advisory: * Open an issue in elrond-go ([http://github.com/ElrondNetwork/elrond-go/issues](https://github.com/ElrondNetwork/elrond-go/issues))

### Impact When [`mlir::tfg::TFOp::nameAttr`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/graphdef_import.cc) receives null type list attributes, it crashes. ```cpp StatusOr<unsigned> GraphDefImporter::ArgNumType(const NamedAttrList &attrs, const OpDef::ArgDef &arg_def, SmallVectorImpl<Type> &types) { // Check whether a type list attribute is specified. if (!arg_def.type_list_attr().empty()) { if (auto v = attrs.get(arg_def.type_list_attr()).dyn_cast<ArrayAttr>()) { for (Attribute attr : v) { if (auto dtype = attr.dyn_cast<TypeAttr>()) { types.push_back(UnrankedTensorType::get(dtype.getValue())); } else { return InvalidArgument("Expected '", arg_def.type_list_attr(), "' to be a list of types"); } } return v.size(); } return NotFound("Type at...

### Impact When [`RangeSize`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc) receives values that do not fit into an `int64_t`, it crashes. ```cpp auto size = (std::is_integral<T>::value ? ((Eigen::numext::abs(limit - start) + Eigen::numext::abs(delta) - T(1)) / Eigen::numext::abs(delta)) : (Eigen::numext::ceil( Eigen::numext::abs((limit - start) / delta)))); // This check does not cover all cases. if (size > std::numeric_limits<int64_t>::max()) { return errors::InvalidArgument("Requires ((limit - start) / delta) <= ", std::numeric_limits<int64_t>::max()); } c->set_output(0, c->Vector(static_cast<int64_t>(size))); return Status::OK(); } ``` ### Patches We have patched the issue in GitHub commit [37e64539cd29fcfb814c4451152a60f5d107b0f0](https://github.com/tensorflow/tensorflow/commit/37e6...

### Impact When [`mlir::tfg::ConvertGenericFunctionToFunctionDef`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/functiondef_import.cc) is given empty function attributes, it crashes. ```cpp // We pre-allocate the array of operands and populate it using the // `output_name_to_position` and `control_output_to_position` populated // previously. SmallVector<Value> ret_vals(func.ret_size() + func.control_ret_size(), Value()); for (const auto& ret_val : func.ret()) { auto position = output_name_to_position.find(ret_val.first); if (position == output_name_to_position.end()) return InvalidArgument( "Can't import function, returned value references unknown output " "argument ", ret_val.first); ret_vals[position->second] = value_manager.GetValueOrCreatePlaceholder(ret_val.second); } for (const auto& ret_val : func.control_ret()) { auto position = control_output_to_position.find(ret_val.f...

### Impact `DenseBincount` assumes its input tensor `weights` to either have the same shape as its input tensor `input` or to be length-0. A different `weights` shape will trigger a `CHECK` fail that can be used to trigger a denial of service attack. ```python import tensorflow as tf binary_output = True input = tf.random.uniform(shape=[0, 0], minval=-10000, maxval=10000, dtype=tf.int32, seed=-2460) size = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.int32, seed=-10000) weights = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.float32, seed=-10000) tf.raw_ops.DenseBincount(input=input, size=size, weights=weights, binary_output=binary_output) ``` ### Patches We have patched the issue in GitHub commit [bf4c14353c2328636a18bfad1e151052c81d5f43](https://github.com/tensorflow/tensorflow/commit/bf4c14353c2328636a18bfad1e151052c81d5f43). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2...

### Impact The [`AvgPoolOp`](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/avgpooling_op.cc#L56-L98) function takes an argument `ksize` that must be positive but is not checked. A negative `ksize` can trigger a `CHECK` failure and crash the program. ```python import tensorflow as tf import numpy as np value = np.ones([1, 1, 1, 1]) ksize = [1, 1e20, 1, 1] strides = [1, 1, 1, 1] padding = 'SAME' data_format = 'NHWC' tf.raw_ops.AvgPool(value=value, ksize=ksize, strides=strides, padding=padding, data_format=data_format) ``` ### Patches We have patched the issue in GitHub commit [3a6ac52664c6c095aa2b114e742b0aa17fdce78f](https://github.com/tensorflow/tensorflow/commit/3a6ac52664c6c095aa2b114e742b0aa17fdce78f). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more ...

### Impact Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object. ### Patches The patch requires the maser key to use internal and protected fields as query constraints. ### Workarounds Implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints, such as: ```js Parse.Cloud.beforeFind('TestObject', ({ query }) => { for (const key in query._where || []) { // Repeat logic for protected fields if (key.charAt(0) === '_') { delete query._where[key]; } } }); ``` ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6