Subject: [ASA-202012-22] tensorflow: multiple issues Arch Linux Security Advisory ASA-202012-22 ========================================== Severity: Critical Date : 2020-12-16 CVE-ID : CVE-2020-26266 CVE-2020-26267 CVE-2020-26268 CVE-2020-26269 CVE-2020-26270 CVE-2020-26271 Package : tensorflow Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-1348 Summary ======= The package tensorflow before version 2.4.0-1 is vulnerable to multiple issues including information disclosure and denial of service. Resolution ========== Upgrade to 2.4.0-1. # pacman -Syu "tensorflow>=2.4.0-1" The problems have been fixed upstream in version 2.4.0. Workaround ========== None. Description =========== - CVE-2020-26266 (information disclosure) In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. - CVE-2020-26267 (information disclosure) In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. - CVE-2020-26268 (denial of service) In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. - CVE-2020-26269 (information disclosure) In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched. - CVE-2020-26270 (denial of service) In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of- death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. - CVE-2020-26271 (information disclosure) In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is no check that the indices point to inside of the arrays they index into. Thus, this can result in accessing data out of bounds of the corresponding heap allocated arrays. In most scenarios, this can manifest as unitialized data access, but if the index points far away from the boundaries of the arrays this can be used to leak addresses from the library. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. Impact ====== An attacker might be able to cause a denial of service or access sensitive information. References ========== https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhxx-j73r-qpm2 https://github.com/tensorflow/tensorflow/commit/1b3546b184a42ca69b5d094131afd5ff0072d83e https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c9f3-9wfr-wgh7 https://github.com/tensorflow/tensorflow/commit/ffea0239373512240bb17101b5a5992de26aa5a4 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hhvc-g5hv-48c6 https://github.com/tensorflow/tensorflow/commit/eccdffd4ba5604fd53bcc48a9b20490dd7b732b4 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9jjw-hf72-3mxw https://github.com/tensorflow/tensorflow/commit/18d54d15864eaa8b163183786d05c6bd8b47ba28 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m648-33qf-v3gp https://github.com/tensorflow/tensorflow/commit/b550171e78e0a085b208d6a3b8b29ed29faa97ae https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q263-fvxm-m5mw https://github.com/tensorflow/tensorflow/commit/7664e65c2c0fcda6b9d833acbb1b77c5d32e0555 https://security.archlinux.org/CVE-2020-26266 https://security.archlinux.org/CVE-2020-26267 https://security.archlinux.org/CVE-2020-26268 https://security.archlinux.org/CVE-2020-26269 https://security.archlinux.org/CVE-2020-26270 https://security.archlinux.org/CVE-2020-26271