Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202012-22: tensorflow: multiple issues

    Date 31 Dec 2020
    323
    Posted By LinuxSecurity Advisories
    The package tensorflow before version 2.4.0-1 is vulnerable to multiple issues including information disclosure and denial of service.
    Arch Linux Security Advisory ASA-202012-22
    ==========================================
    
    Severity: Critical
    Date    : 2020-12-16
    CVE-ID  : CVE-2020-26266 CVE-2020-26267 CVE-2020-26268 CVE-2020-26269
              CVE-2020-26270 CVE-2020-26271
    Package : tensorflow
    Type    : multiple issues
    Remote  : No
    Link    : https://security.archlinux.org/AVG-1348
    
    Summary
    =======
    
    The package tensorflow before version 2.4.0-1 is vulnerable to multiple
    issues including information disclosure and denial of service.
    
    Resolution
    ==========
    
    Upgrade to 2.4.0-1.
    
    # pacman -Syu "tensorflow>=2.4.0-1"
    
    The problems have been fixed upstream in version 2.4.0.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2020-26266 (information disclosure)
    
    In affected versions of TensorFlow under certain cases a saved model
    can trigger use of uninitialized values during code execution. This is
    caused by having tensor buffers be filled with the default value of the
    type but forgetting to default initialize the quantized floating point
    types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2,
    2.3.2, and 2.4.0.
    
    - CVE-2020-26267 (information disclosure)
    
    In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute
    API does not validate the src_format and dst_format attributes. The
    code assumes that these two arguments define a permutation of NHWC.
    This can result in uninitialized memory accesses, read outside of
    bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4,
    2.1.3, 2.2.2, 2.3.2, and 2.4.0.
    
    - CVE-2020-26268 (denial of service)
    
    In affected versions of TensorFlow the tf.raw_ops.ImmutableConst
    operation returns a constant tensor created from a memory mapped file
    which is assumed immutable. However, if the type of the tensor is not
    an integral type, the operation crashes the Python interpreter as it
    tries to write to the memory area. If the file is too small, TensorFlow
    properly returns an error as the memory area has fewer bytes than what
    is needed for the tensor it creates. However, as soon as there are
    enough bytes, the above snippet causes a segmentation fault. This is
    because the allocator used to return the buffer data is not marked as
    returning an opaque handle since the needed virtual method is not
    overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2,
    2.3.2, and 2.4.0.
    
    - CVE-2020-26269 (information disclosure)
    
    In TensorFlow release candidate versions 2.4.0rc*, the general
    implementation for matching filesystem paths to globbing pattern is
    vulnerable to an access out of bounds of the array holding the
    directories. There are multiple invariants and preconditions that are
    assumed by the parallel implementation of GetMatchingPaths but are not
    verified by the PRs introducing it (#40861 and #44310). Thus, we are
    completely rewriting the implementation to fully specify and validate
    these. This is patched in version 2.4.0. This issue only impacts master
    branch and the release candidates for TF version 2.4. The final release
    of the 2.4 release will be patched.
    
    - CVE-2020-26270 (denial of service)
    
    In affected versions of TensorFlow running an LSTM/GRU model where the
    LSTM/GRU layer receives an input with zero-length results in a CHECK
    failure when using the CUDA backend. This can result in a query-of-
    death vulnerability, via denial of service, if users can control the
    input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3,
    2.2.2, 2.3.2, and 2.4.0.
    
    - CVE-2020-26271 (information disclosure)
    
    In affected versions of TensorFlow under certain cases, loading a saved
    model can result in accessing uninitialized memory while building the
    computation graph. The MakeEdge function creates an edge between one
    output tensor of the src node (given by output_index) and the input
    slot of the dst node (given by input_index). This is only possible if
    the types of the tensors on both sides coincide, so the function begins
    by obtaining the corresponding DataType values and comparing these for
    equality. However, there is no check that the indices point to inside
    of the arrays they index into. Thus, this can result in accessing data
    out of bounds of the corresponding heap allocated arrays. In most
    scenarios, this can manifest as unitialized data access, but if the
    index points far away from the boundaries of the arrays this can be
    used to leak addresses from the library. This is fixed in versions
    1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
    
    Impact
    ======
    
    An attacker might be able to cause a denial of service or access
    sensitive information.
    
    References
    ==========
    
    https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhxx-j73r-qpm2
    https://github.com/tensorflow/tensorflow/commit/1b3546b184a42ca69b5d094131afd5ff0072d83e
    https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c9f3-9wfr-wgh7
    https://github.com/tensorflow/tensorflow/commit/ffea0239373512240bb17101b5a5992de26aa5a4
    https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hhvc-g5hv-48c6
    https://github.com/tensorflow/tensorflow/commit/eccdffd4ba5604fd53bcc48a9b20490dd7b732b4
    https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9jjw-hf72-3mxw
    https://github.com/tensorflow/tensorflow/commit/18d54d15864eaa8b163183786d05c6bd8b47ba28
    https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m648-33qf-v3gp
    https://github.com/tensorflow/tensorflow/commit/b550171e78e0a085b208d6a3b8b29ed29faa97ae
    https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q263-fvxm-m5mw
    https://github.com/tensorflow/tensorflow/commit/7664e65c2c0fcda6b9d833acbb1b77c5d32e0555
    https://security.archlinux.org/CVE-2020-26266
    https://security.archlinux.org/CVE-2020-26267
    https://security.archlinux.org/CVE-2020-26268
    https://security.archlinux.org/CVE-2020-26269
    https://security.archlinux.org/CVE-2020-26270
    https://security.archlinux.org/CVE-2020-26271
    

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.