[ASA-202012-22] tensorflow: multiple issues

Morten Linderud foxboron at archlinux.org
Thu Dec 31 13:13:40 UTC 2020

Arch Linux Security Advisory ASA-202012-22

Severity: Critical
Date    : 2020-12-16
CVE-ID  : CVE-2020-26266 CVE-2020-26267 CVE-2020-26268 CVE-2020-26269
          CVE-2020-26270 CVE-2020-26271
Package : tensorflow
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-1348


The package tensorflow before version 2.4.0-1 is vulnerable to multiple
issues including information disclosure and denial of service.


Upgrade to 2.4.0-1.

# pacman -Syu "tensorflow>=2.4.0-1"

The problems have been fixed upstream in version 2.4.0.




- CVE-2020-26266 (information disclosure)

In affected versions of TensorFlow under certain cases a saved model
can trigger use of uninitialized values during code execution. This is
caused by having tensor buffers be filled with the default value of the
type but forgetting to default initialize the quantized floating point
types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2,
2.3.2, and 2.4.0.

- CVE-2020-26267 (information disclosure)

In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute
API does not validate the src_format and dst_format attributes. The
code assumes that these two arguments define a permutation of NHWC.
This can result in uninitialized memory accesses, read outside of
bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4,
2.1.3, 2.2.2, 2.3.2, and 2.4.0.

- CVE-2020-26268 (denial of service)

In affected versions of TensorFlow the tf.raw_ops.ImmutableConst
operation returns a constant tensor created from a memory mapped file
which is assumed immutable. However, if the type of the tensor is not
an integral type, the operation crashes the Python interpreter as it
tries to write to the memory area. If the file is too small, TensorFlow
properly returns an error as the memory area has fewer bytes than what
is needed for the tensor it creates. However, as soon as there are
enough bytes, the above snippet causes a segmentation fault. This is
because the allocator used to return the buffer data is not marked as
returning an opaque handle since the needed virtual method is not
overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2,
2.3.2, and 2.4.0.

- CVE-2020-26269 (information disclosure)

In TensorFlow release candidate versions 2.4.0rc*, the general
implementation for matching filesystem paths to globbing pattern is
vulnerable to an access out of bounds of the array holding the
directories. There are multiple invariants and preconditions that are
assumed by the parallel implementation of GetMatchingPaths but are not
verified by the PRs introducing it (#40861 and #44310). Thus, we are
completely rewriting the implementation to fully specify and validate
these. This is patched in version 2.4.0. This issue only impacts master
branch and the release candidates for TF version 2.4. The final release
of the 2.4 release will be patched.

- CVE-2020-26270 (denial of service)

In affected versions of TensorFlow running an LSTM/GRU model where the
LSTM/GRU layer receives an input with zero-length results in a CHECK
failure when using the CUDA backend. This can result in a query-of-
death vulnerability, via denial of service, if users can control the
input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3,
2.2.2, 2.3.2, and 2.4.0.

- CVE-2020-26271 (information disclosure)

In affected versions of TensorFlow under certain cases, loading a saved
model can result in accessing uninitialized memory while building the
computation graph. The MakeEdge function creates an edge between one
output tensor of the src node (given by output_index) and the input
slot of the dst node (given by input_index). This is only possible if
the types of the tensors on both sides coincide, so the function begins
by obtaining the corresponding DataType values and comparing these for
equality. However, there is no check that the indices point to inside
of the arrays they index into. Thus, this can result in accessing data
out of bounds of the corresponding heap allocated arrays. In most
scenarios, this can manifest as unitialized data access, but if the
index points far away from the boundaries of the arrays this can be
used to leak addresses from the library. This is fixed in versions
1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.


An attacker might be able to cause a denial of service or access
sensitive information.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20201231/ef0a8c7d/attachment-0001.sig>

More information about the arch-security mailing list