34 lines
919 B
Markdown
34 lines
919 B
Markdown
## TFSA-2018-002: GIF File Parsing Null Pointer Dereference Error
|
|
|
|
### CVE Number
|
|
|
|
CVE-2018-7576
|
|
|
|
### Issue Description
|
|
|
|
When parsing certain invalid GIF files, an internal function in the GIF decoder
|
|
returned a null pointer, which was subsequently used as an argument to strcat.
|
|
|
|
### Impact
|
|
|
|
A maliciously crafted GIF could be used to cause the TensorFlow process to
|
|
crash.
|
|
|
|
### Vulnerable Versions
|
|
|
|
TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1 1.4.1, 1.5.0, 1.5.1
|
|
|
|
### Mitigation
|
|
|
|
We have patched the vulnerability in GitHub commit
|
|
[c4843158](https://github.com/tensorflow/tensorflow/commit/c48431588e7cf8aff61d4c299231e3e925144df8).
|
|
If users are running TensorFlow in production or on untrusted data, they are
|
|
encouraged to apply this patch.
|
|
|
|
Additionally, this patch has already been integrated into TensorFlow 1.6.0 and
|
|
newer.
|
|
|
|
### Credits
|
|
|
|
This issue was discovered by the Blade Team of Tencent.
|