PYSEC-2021-271

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/tensorflow/PYSEC-2021-271.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2021-271

Aliases

Published

2021-08-12T19:15:00Z

Modified

2023-12-06T00:46:20.443959Z

Summary

[none]

Details

TensorFlow is an end-to-end open source platform for machine learning. The code for tf.raw_ops.UncompressElement can be made to trigger a null pointer dereference. The implementation obtains a pointer to a CompressedElement from a Variant tensor and then proceeds to dereference it for decompressing. There is no check that the Variant tensor contained a CompressedElement, so the pointer is actually nullptr. We have patched the issue in GitHub commit 7bdf50bb4f5c54a4997c379092888546c97c3ebd. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

References

Affected packages

PyPI / tensorflow

Package

Name: tensorflow; View open source insights on deps.dev
Purl: pkg:pypi/tensorflow

Affected ranges

Type: GIT
Repo: https://github.com/tensorflow/tensorflow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7bdf50bb4f5c54a4997c379092888546c97c3ebd

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.4

Introduced

2.4.0

Fixed

2.4.3

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2