Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-h246-cgh4-7475: `CHECK` fail in `BCast` overflow

### Impact If [`BCast::ToShape`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/util/bcast.h) is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can be seen in [`tf.experimental.numpy.outer`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/util/bcast.h) by passing in large input to the input `b`. ```python import tensorflow as tf value = tf.constant(shape=[2, 1024, 1024, 1024], value=False) tf.experimental.numpy.outer(a=6,b=value) ``` ### Patches We have patched the issue in GitHub commit [8310bf8dd188ff780e7fc53245058215a05bdbe5](https://github.com/tensorflow/tensorflow/commit/8310bf8dd188ff780e7fc53245058215a05bdbe5). The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://gi...

ghsa
#vulnerability#git
GHSA-xxcj-rhqg-m46g: Segfault via invalid attributes in `pywrap_tfe_src.cc`

### Impact If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in [`tf.compat.v1.extract_volume_patches`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc) by passing in quantized tensors as input `ksizes`. ```python import numpy as np import tensorflow as tf a_input = np.array([1, -1], dtype= np.int32) a_ksizes = a_strides = tf.constant(dtype=tf.dtypes.qint16, value=[[1, 4], [5, 2]]) tf.compat.v1.extract_volume_patches(input=a_input,ksizes=a_ksizes,strides=a_strides,padding='VALID') ``` ### Patches We have patched the issue in GitHub commit [e9e95553e5411834d215e6770c81a83a3d0866ce](https://github.com/tensorflow/tensorflow/commit/e9e95553e5411834d215e6770c81a83a3d0866ce). The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2....

GHSA-6x99-gv2v-q76v: FPE in `tf.image.generate_bounding_box_proposals`

### Impact When running on GPU, [`tf.image.generate_bounding_box_proposals`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc) receives a `scores` input that must be of rank 4 but is not checked. ```python import tensorflow as tf a = tf.constant(value=[[1.0, 1.0], [1.0, 1.0], [1.0, 1.0], [1.0, 1.0]]) b = tf.constant(value=[1]) tf.image.generate_bounding_box_proposals(scores=a,bbox_deltas=a,image_info=a,anchors=a,pre_nms_topn=b) ``` ### Patches We have patched the issue in GitHub commit [cf35502463a88ca7185a99daa7031df60b3c1c98](https://github.com/tensorflow/tensorflow/commit/cf35502463a88ca7185a99daa7031df60b3c1c98). The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/...

GHSA-8fvv-46hw-vpg3: Overflow in `tf.keras.losses.poisson`

### Impact [`tf.keras.losses.poisson`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/python/keras/losses.py) receives a `y_pred` and `y_true` that are passed through `functor::mul` in [`BinaryOp`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/cwise_ops_common.h). If the resulting dimensions overflow an `int32`, TensorFlow will crash due to a size mismatch during broadcast assignment. ```python import numpy as np import tensorflow as tf true_value = tf.reshape(shape=[1, 2500000000], tensor = tf.zeros(dtype=tf.bool, shape=[50000, 50000])) pred_value = np.array([[[-2]], [[8]]], dtype = np.float64) tf.keras.losses.poisson(y_true=true_value,y_pred=pred_value) ``` ### Patches We have patched the issue in GitHub commit [c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c](https://github.com/tensorflow/tensorflow/commit/c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c). The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorF...

GHSA-54pp-c6pp-7fpx: Overflow in `ImageProjectiveTransformV2`

### Impact When [`tf.raw_ops.ImageProjectiveTransformV2`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/image_ops.cc) is given a large output shape, it overflows. ```python import tensorflow as tf interpolation = "BILINEAR" fill_mode = "REFLECT" images = tf.constant(0.184634328, shape=[2,5,8,3], dtype=tf.float32) transforms = tf.constant(0.378575385, shape=[2,8], dtype=tf.float32) output_shape = tf.constant([1879048192,1879048192], shape=[2], dtype=tf.int32) tf.raw_ops.ImageProjectiveTransformV2(images=images, transforms=transforms, output_shape=output_shape, interpolation=interpolation, fill_mode=fill_mode) ``` ### Patches We have patched the issue in GitHub commit [8faa6ea692985dbe6ce10e1a3168e0bd60a723ba](https://github.com/tensorflow/tensorflow/commit/8faa6ea692985dbe6ce10e1a3168e0bd60a723ba). The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also a...

GHSA-762h-vpvw-3rcx: Overflow in `FusedResizeAndPadConv2D`

### Impact When [`tf.raw_ops.FusedResizeAndPadConv2D`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/conv_ops_fused_image_transform.cc) is given a large tensor shape, it overflows. ```python import tensorflow as tf mode = "REFLECT" strides = [1, 1, 1, 1] padding = "SAME" resize_align_corners = False input = tf.constant(147, shape=[3,3,1,1], dtype=tf.float16) size = tf.constant([1879048192,1879048192], shape=[2], dtype=tf.int32) paddings = tf.constant([3,4], shape=[2], dtype=tf.int32) filter = tf.constant(123, shape=[1,3,4,1], dtype=tf.float16) tf.raw_ops.FusedResizeAndPadConv2D(input=input, size=size, paddings=paddings, filter=filter, mode=mode, strides=strides, padding=padding, resize_align_corners=resize_align_corners) ``` ### Patches We have patched the issue in GitHub commit [d66e1d568275e6a2947de97dca7a102a211e01ce](https://github.com/tensorflow/tensorflow/commit/d66e1d568275e6a2947de97dca7a102a211e01ce). The fix will be included in TensorFlow 2.1...

GHSA-jq6x-99hj-q636: Seg fault in `ndarray_tensor_bridge` due to zero and large inputs

### Impact If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. E.g. the following raises an error: ```python np.ones((0, 2**31, 2**31)) ``` An example of a proof of concept: ```python import numpy as np import tensorflow as tf input_val = tf.constant([1]) shape_val = np.array([i for i in range(21)]) tf.broadcast_to(input=input_val,shape=shape_val) ``` The return value of `PyArray_SimpleNewFromData`, which returns null on such shapes, is not checked. ### Patches We have patched the issue in GitHub commit [2b56169c16e375c521a3bc8ea658811cc0793784](https://github.com/tensorflow/tensorflow/commit/2b56169c16e375c521a3bc8ea658811cc0793784). The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/...

GHSA-w58w-79xv-6vcj: Out of bounds segmentation fault due to unequal op inputs in Tensorflow

### Impact [`tf.raw_ops.DynamicStitch`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/dynamic_stitch_op.cc) specifies input sizes when it is [registered](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/data_flow_ops.cc). ```cpp REGISTER_OP("DynamicStitch") .Input("indices: N * int32") .Input("data: N * T") .Output("merged: T") .Attr("N : int >= 1") .Attr("T : type") .SetShapeFn(DynamicStitchShapeFunction); ``` When it receives a differing number of inputs, such as when it is called with an `indices` size 1 and a `data` size 2, it will crash. ```python import tensorflow as tf # indices = 1*[tf.random.uniform([1,2], dtype=tf.dtypes.int32, maxval=100)] indices = [tf.constant([[0, 1]]),] # data = 2*[tf.random.uniform([1,2], dtype=tf.dtypes.float32, maxval=100)] data = [tf.constant([[5, 6]]), tf.constant([[7, 8]])] tf.raw_ops.DynamicStitch( indices=indices, data=data) ``` ### Patches We have patch...

GHSA-3w3h-7xgx-grwc: Leakage Aliyun KeySecret

### Impact Users of this library will be affected when using this library, the incoming secret will be disclosed unintentionally ### Patches This have already been solved. ### Workarounds No, It cannot be patched without upgrading ### References No ### For more information If you have any questions or comments about this advisory: * Email us at [email address](mailto:772364230@qq.com)

GHSA-6cqj-6969-p57x: Lack of proper validation of server UUID can be used by the server to trick the client to accept invalid proofs

### Impact immudb client SDKs use server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not validate this uuid and can accept any value reported by the server. A malicious server can change the reported UUID tricking the client to treat it as a different server thus accepting a state completely irrelevant to the one previously retrieved from the server. ### Patches The following Go SDK versions are not vulnerable | **SDK** | **Version** | |-------|------------| | [go](pkg.go.dev/github.com/codenotary/immudb/pkg/client) | 1.4.1 | ### Workarounds When initializing an immudb client object, a custom state handler can be used to store the state. Providing custom implementation that ignores the server UUID can be used to ensure that even if the server changes the UUID, client will still consider it to be the same server. ### For more information If you have any ques...