Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-r26c-679w-mrjm: TensorFlow vulnerable to `CHECK` fail in `FakeQuantWithMinMaxVarsGradient`

### Impact When `tf.quantization.fake_quant_with_min_max_vars_gradient` receives input `min` or `max` that is nonscalar, it gives a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf import numpy as np arg_0=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32) arg_1=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32) arg_2=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32) arg_3=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32) arg_4=8 arg_5=False arg_6='' tf.quantization.fake_quant_with_min_max_vars_gradient(gradients=arg_0, inputs=arg_1, min=arg_2, max=arg_3, num_bits=arg_4, narrow_range=arg_5, name=arg_6) ``` ### Patches We have patched the issue in GitHub commit [f3cf67ac5705f4f04721d15e485e192bb319feed](https://github.com/tensorflow/tensorflow/commit/f3cf67ac5705f4f04721d15e485e192bb319feed). The fix will be included in T...

ghsa
Open in Source
#vulnerability#dos#git
GHSA-g9h5-vr8m-x2h4: TensorFlow vulnerable to `CHECK` fail in `AudioSummaryV2`

### Impact When `AudioSummaryV2` receives an input `sample_rate` with more than one element, it gives a `CHECK` fails that can be used to trigger a denial of service attack. ```python import tensorflow as tf arg_0='' arg_1=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None) arg_2=tf.random.uniform(shape=(2,1), dtype=tf.float32, maxval=None) arg_3=3 arg_4='' tf.raw_ops.AudioSummaryV2(tag=arg_0, tensor=arg_1, sample_rate=arg_2, max_outputs=arg_3, name=arg_4) ``` ### Patches We have patched the issue in GitHub commit [bf6b45244992e2ee543c258e519489659c99fb7f](https://github.com/tensorflow/tensorflow/commit/bf6b45244992e2ee543c258e519489659c99fb7f). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blo...

GHSA-4p6f-m4f9-ch88: Binary vulnerable to Slice Memory Allocation with Excessive Size Value

### Impact > _What kind of vulnerability is it? Who is impacted?_ The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with (arbitrary) excessive size value, which can either exhaust available memory or crash the whole program. When using `github.com/gagliardetto/binary` to parse unchecked (or wrong type of) data from untrusted sources of input (e.g. the blockchain) into slices, it's possible to allocate memory with excessive size. When `dec.Decode(&val)` method is used to parse data into a structure that is or contains slices of values, the length of the slice was previously read directly from the data itself without any checks on the size of it, and then a slice was allocated. This could lead to an overflow and an allocation of memory with excessive size value. Example: ```go package main import ( "github.com/gagliardetto/binary" // any version before v0.7.1 is vulnerable "log" ) type MyStruct struct { Field1 []byte // fi...

GHSA-mv8m-8x97-937q: TensorFlow vulnerable to `CHECK` fail in `tf.random.gamma`

### Impact When `tf.random.gamma` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf arg_0=tf.random.uniform(shape=(4,), dtype=tf.int32, maxval=65536) arg_1=tf.random.uniform(shape=(4, 4), dtype=tf.float64, maxval=None) arg_2=tf.random.uniform(shape=(4, 4, 4, 4, 4), dtype=tf.float64, maxval=None) arg_3=tf.float64 arg_4=48 arg_5='None' tf.random.gamma(shape=arg_0, alpha=arg_1, beta=arg_2, dtype=arg_3, seed=arg_4, name=arg_5) ``` ### Patches We have patched the issue in GitHub commit [552bfced6ce4809db5f3ca305f60ff80dd40c5a3](https://github.com/tensorflow/tensorflow/commit/552bfced6ce4809db5f3ca305f60ff80dd40c5a3). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tens...

GHSA-g468-qj8g-vcjc: TensorFlow vulnerable to `CHECK`-fail in `tensorflow::full_type::SubstituteFromAttrs`

### Impact When [`tensorflow::full_type::SubstituteFromAttrs`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc) receives a `FullTypeDef& t` that is not exactly three args, it triggers a `CHECK`-fail instead of returning a status. ```cpp Status SubstituteForEach(AttrMap& attrs, FullTypeDef& t) { DCHECK_EQ(t.args_size(), 3); const auto& cont = t.args(0); const auto& tmpl = t.args(1); const auto& t_var = t.args(2); ``` ### Patches We have patched the issue in GitHub commit [6104f0d4091c260ce9352f9155f7e9b725eab012](https://github.com/tensorflow/tensorflow/commit/6104f0d4091c260ce9352f9155f7e9b725eab012). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more infor...

GHSA-mv8x-668m-53fg: Elrond-go has improper initialization

### Impact Read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract's B state, the state will be altered for contract B as if the call was not made in the read-only mode. This can lead to some effects not designed by the original smart contracts programmers. ### Patches Patch v1.3.35 or higher ### Workarounds No workaround ### References For future reference and understanding of this issue, anyone can check this integration test https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452 that proves the fix and prevents a future code regression. ### For more information If you have any questions or comments about this advisory: * Open an issue in elrond-go ([http://github.com/ElrondNetwork/elrond-go/issues](https://github.com/ElrondNetwork/elrond-go/issues))

GHSA-7j3m-8g3c-9qqq: TensorFlow vulnerable to null-dereference in `mlir::tfg::TFOp::nameAttr`

### Impact When [`mlir::tfg::TFOp::nameAttr`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/graphdef_import.cc) receives null type list attributes, it crashes. ```cpp StatusOr<unsigned> GraphDefImporter::ArgNumType(const NamedAttrList &attrs, const OpDef::ArgDef &arg_def, SmallVectorImpl<Type> &types) { // Check whether a type list attribute is specified. if (!arg_def.type_list_attr().empty()) { if (auto v = attrs.get(arg_def.type_list_attr()).dyn_cast<ArrayAttr>()) { for (Attribute attr : v) { if (auto dtype = attr.dyn_cast<TypeAttr>()) { types.push_back(UnrankedTensorType::get(dtype.getValue())); } else { return InvalidArgument("Expected '", arg_def.type_list_attr(), "' to be a list of types"); } } return v.size(); } return NotFound("Type at...

GHSA-rh87-q4vg-m45j: TensorFlow vulnerable to integer overflow in math ops

### Impact When [`RangeSize`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc) receives values that do not fit into an `int64_t`, it crashes. ```cpp auto size = (std::is_integral<T>::value ? ((Eigen::numext::abs(limit - start) + Eigen::numext::abs(delta) - T(1)) / Eigen::numext::abs(delta)) : (Eigen::numext::ceil( Eigen::numext::abs((limit - start) / delta)))); // This check does not cover all cases. if (size > std::numeric_limits<int64_t>::max()) { return errors::InvalidArgument("Requires ((limit - start) / delta) <= ", std::numeric_limits<int64_t>::max()); } c->set_output(0, c->Vector(static_cast<int64_t>(size))); return Status::OK(); } ``` ### Patches We have patched the issue in GitHub commit [37e64539cd29fcfb814c4451152a60f5d107b0f0](https://github.com/tensorflow/tensorflow/commit/37e6...

GHSA-jvhc-5hhr-w3v5: TensorFlow vulnerable to assertion fail on MLIR empty edge names

### Impact When [`mlir::tfg::ConvertGenericFunctionToFunctionDef`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/functiondef_import.cc) is given empty function attributes, it crashes. ```cpp // We pre-allocate the array of operands and populate it using the // `output_name_to_position` and `control_output_to_position` populated // previously. SmallVector<Value> ret_vals(func.ret_size() + func.control_ret_size(), Value()); for (const auto& ret_val : func.ret()) { auto position = output_name_to_position.find(ret_val.first); if (position == output_name_to_position.end()) return InvalidArgument( "Can't import function, returned value references unknown output " "argument ", ret_val.first); ret_vals[position->second] = value_manager.GetValueOrCreatePlaceholder(ret_val.second); } for (const auto& ret_val : func.control_ret()) { auto position = control_output_to_position.find(ret_val.f...

GHSA-w62h-8xjm-fv49: TensorFlow vulnerable to `CHECK` fail in `DenseBincount`

### Impact `DenseBincount` assumes its input tensor `weights` to either have the same shape as its input tensor `input` or to be length-0. A different `weights` shape will trigger a `CHECK` fail that can be used to trigger a denial of service attack. ```python import tensorflow as tf binary_output = True input = tf.random.uniform(shape=[0, 0], minval=-10000, maxval=10000, dtype=tf.int32, seed=-2460) size = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.int32, seed=-10000) weights = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.float32, seed=-10000) tf.raw_ops.DenseBincount(input=input, size=size, weights=weights, binary_output=binary_output) ``` ### Patches We have patched the issue in GitHub commit [bf4c14353c2328636a18bfad1e151052c81d5f43](https://github.com/tensorflow/tensorflow/commit/bf4c14353c2328636a18bfad1e151052c81d5f43). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2...