SB2020102153 - Multiple vulnerabilities in TensorFlow

Description

This security bulletin contains information about 3 vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2020-26269)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in filesystem glob matching in GetMatchingPaths when parsing crafted filesystem path patterns. A local user can invoke glob matching on a crafted path to cause a denial of service.

The issue occurs because directory index assumptions in the parallel implementation are not verified under certain scenarios.

2) Input validation error (CVE-ID: CVE-2020-15266)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in tf.image.crop_and_resize when processing a boxes argument with very large values. A remote attacker can supply a specially crafted boxes argument to cause a denial of service.

3) Out-of-bounds read (CVE-ID: CVE-2020-15265)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in tf.quantization.quantize_and_dequantize when processing an invalid axis value. A remote attacker can pass a specially crafted axis value to cause a denial of service.

In normal builds, the dimension check is compiled out, which can lead to a segmentation fault.

Remediation

Install update from vendor's website.

References

• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9jjw-hf72-3mxw
• https://github.com/tensorflow/tensorflow/commit/8b5b9dc96666a3a5d27fad7179ff215e3b74b67c
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xwhf-g6j5-j5gc
• https://github.com/tensorflow/tensorflow/commit/c0319231333f0f16e1cc75ec83660b01fedd4182
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rrfp-j2mp-hq9c
• https://github.com/tensorflow/tensorflow/commit/eccb7ec454e6617738554a255d77f08e60ee0808