Security advisory for CVE-2019-16778

PiperOrigin-RevId: 285797271 Change-Id: I2806f87472d46c4a00a1595d0dc64df3c844a1ae
2019-12-16 10:16:32 -08:00 · 2019-12-16 10:16:32 -08:00 · af398b193d
commit af398b193d
parent 98e6a1fc9d
2 changed files with 34 additions and 0 deletions
--- a/tensorflow/security/advisory/tfsa-2019-002.md
+++ b/tensorflow/security/advisory/tfsa-2019-002.md
@ -0,0 +1,33 @@
+## TFSA-2019-002: Heap buffer overflow in `UnsortedSegmentSum`
+
+### CVE Number
+
+CVE-2019-16778
+
+### Issue Description
+
+A heap buffer overflow in `UnsortedSegmentSum` can be produced when the `Index`
+template argument is `int32`. In this case `data_size` and `num_segments` fields
+are truncated from `int64` to `int32` and can produce negative numbers,
+resulting in accessing out of bounds heap memory.
+
+### Impact
+
+This is unlikely to be exploitable and was detected and fixed internally. We are
+making the security advisory only to notify users that it is better to update to
+TensorFlow 1.15 or 2.0 or later as these versions already have this fixed.
+
+### Vulnerable Versions
+
+TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0,
+1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0,
+1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0.
+
+### Mitigation
+
+We have patched the vulnerability in GitHub commit
+[db4f971](https://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892).
+
+We encourage users to switch to TensorFlow 1.15 or 2.0 as these versions contain
+the fix. If switching is undesirable, consider cherry-picking the above commit
+and building from source.
--- a/tensorflow/security/index.md
+++ b/tensorflow/security/index.md
@ -8,6 +8,7 @@ in [SECURITY.md](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.m

 | Advisory Number | Type               | Versions affected | Reported by           | Additional Information      |
 |-----------------|--------------------|:-----------------:|-----------------------|-----------------------------|
+| [TFSA-2019-002](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-002.md)   | Heap buffer overflow in `UnsortedSegmentSum` | <= 1.14 | (found internally) |  |
 | [TFSA-2019-001](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-001.md)   | Null Pointer Dereference Error in Decoding GIF Files | <= 1.12 | Baidu Security Lab |  |
 | [TFSA-2018-006](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-006.md)   | Crafted Configuration File results in Invalid Memory Access | <= 1.7 | Blade Team of Tencent |  |
 | [TFSA-2018-005](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md)   | Old Snappy Library Usage Resulting in Memcpy Parameter Overlap | <= 1.7 | Blade Team of Tencent |  |