PYSEC-2021-776

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/tensorflow-gpu/PYSEC-2021-776.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2021-776

Aliases

Published

2021-08-12T23:15:00Z

Modified

2023-12-06T00:46:21.404798Z

Summary

[none]

Details

TensorFlow is an end-to-end open source platform for machine learning. In affected versions due to incomplete validation in MKL implementation of requantization, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap allocated arrays. The implementation does not validate the dimensions of the input tensor. A similar issue occurs in MklRequantizePerChannelOp. The implementation does not perform full validation for all the input arguments. We have patched the issue in GitHub commit 9e62869465573cb2d9b5053f1fa02a81fce21d69 and in the Github commit 203214568f5bc237603dbab6e1fd389f1572f5c9. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

References

Affected packages

PyPI / tensorflow-gpu

Package

Name: tensorflow-gpu; View open source insights on deps.dev
Purl: pkg:pypi/tensorflow-gpu

Affected ranges

Type: GIT
Repo: https://github.com/tensorflow/tensorflow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9e62869465573cb2d9b5053f1fa02a81fce21d69

Fixed

203214568f5bc237603dbab6e1fd389f1572f5c9

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.4

Introduced

2.4.0

Fixed

2.4.3

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2