PYSEC-2021-503

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/tensorflow-cpu/PYSEC-2021-503.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2021-503

Aliases

Published

2021-05-14T20:15:00Z

Modified

2023-12-06T00:46:05.510869Z

Summary

[none]

Details

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.raw_ops.ReverseSequence allows for stack overflow and/or CHECK-fail based denial of service. The implementation(https://github.com/tensorflow/tensorflow/blob/5b3b071975e01f0d250c928b2a8f901cd53b90a7/tensorflow/core/kernels/reversesequenceop.cc#L114-L118) fails to validate that seq_dim and batch_dim arguments are valid. Negative values for seq_dim can result in stack overflow or CHECK-failure, depending on the version of Eigen code used to implement the operation. Similar behavior can be exhibited by invalid values of batch_dim. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

References

Affected packages

PyPI / tensorflow-cpu

Package

Name: tensorflow-cpu; View open source insights on deps.dev
Purl: pkg:pypi/tensorflow-cpu

Affected ranges

Type: GIT
Repo: https://github.com/tensorflow/tensorflow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ecf768cbe50cedc0a45ce1ee223146a3d3d26d23

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.0rc0

Introduced

2.2.0

Fixed

2.2.3

Introduced

2.3.0

Fixed

2.3.3

Introduced

2.4.0

Fixed

2.4.2

Affected versions

1.*

1.15.0

2.*

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1