CVE-2021-41195 - log back

CVE-2021-41195 created at 06 Nov 2021 00:12:33
Severity
+ Medium
Remote
+ Local
Type
+ Denial of service
Description
+ In TensorFlow before version 2.6.1, the implementation of tf.math.segment_* operations results in a CHECK-fail related abort (and denial of service) if a segment id in segment_ids is large. This is similar to CVE-2021-29584 (and similar other reported vulnerabilities in TensorFlow, localized to specific APIs): the implementation (both on CPU and GPU) computes the output shape using AddDim. However, if the number of elements in the tensor overflows an int64_t value, AddDim results in a CHECK failure which provokes a std::abort. Instead, code should use AddDimWithStatus.
References
+ https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cq76-mxrc-vchh
+ https://github.com/tensorflow/tensorflow/issues/46888
+ https://github.com/tensorflow/tensorflow/pull/51733
+ https://github.com/tensorflow/tensorflow/commit/e9c81c1e1a9cd8dd31f4e83676cab61b60658429
Notes