From af398b193d039f986d7642bb4b9fba5808e84cbc Mon Sep 17 00:00:00 2001
From: Mihai Maruseac <mihaimaruseac@google.com>
Date: Mon, 16 Dec 2019 10:16:32 -0800
Subject: [PATCH] Security advisory for CVE-2019-16778

PiperOrigin-RevId: 285797271
Change-Id: I2806f87472d46c4a00a1595d0dc64df3c844a1ae
---
 tensorflow/security/advisory/tfsa-2019-002.md | 33 +++++++++++++++++++
 tensorflow/security/index.md                  |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 tensorflow/security/advisory/tfsa-2019-002.md

diff --git a/tensorflow/security/advisory/tfsa-2019-002.md b/tensorflow/security/advisory/tfsa-2019-002.md
new file mode 100644
index 00000000000..74760c11f64
--- /dev/null
+++ b/tensorflow/security/advisory/tfsa-2019-002.md
@@ -0,0 +1,33 @@
+## TFSA-2019-002: Heap buffer overflow in `UnsortedSegmentSum`
+
+### CVE Number
+
+CVE-2019-16778
+
+### Issue Description
+
+A heap buffer overflow in `UnsortedSegmentSum` can be produced when the `Index`
+template argument is `int32`. In this case `data_size` and `num_segments` fields
+are truncated from `int64` to `int32` and can produce negative numbers,
+resulting in accessing out of bounds heap memory.
+
+### Impact
+
+This is unlikely to be exploitable and was detected and fixed internally. We are
+making the security advisory only to notify users that it is better to update to
+TensorFlow 1.15 or 2.0 or later as these versions already have this fixed.
+
+### Vulnerable Versions
+
+TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0,
+1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0,
+1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0.
+
+### Mitigation
+
+We have patched the vulnerability in GitHub commit
+[db4f971](https://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892).
+
+We encourage users to switch to TensorFlow 1.15 or 2.0 as these versions contain
+the fix. If switching is undesirable, consider cherry-picking the above commit
+and building from source.
diff --git a/tensorflow/security/index.md b/tensorflow/security/index.md
index e28f8ff0f87..2a496c2f087 100644
--- a/tensorflow/security/index.md
+++ b/tensorflow/security/index.md
@@ -8,6 +8,7 @@ in [SECURITY.md](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.m
 
 | Advisory Number | Type               | Versions affected | Reported by           | Additional Information      |
 |-----------------|--------------------|:-----------------:|-----------------------|-----------------------------|
+| [TFSA-2019-002](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-002.md)   | Heap buffer overflow in `UnsortedSegmentSum` | <= 1.14 | (found internally) |  |
 | [TFSA-2019-001](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-001.md)   | Null Pointer Dereference Error in Decoding GIF Files | <= 1.12 | Baidu Security Lab |  |
 | [TFSA-2018-006](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-006.md)   | Crafted Configuration File results in Invalid Memory Access | <= 1.7 | Blade Team of Tencent |  |
 | [TFSA-2018-005](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md)   | Old Snappy Library Usage Resulting in Memcpy Parameter Overlap | <= 1.7 | Blade Team of Tencent |  |