experiments/STT-tensorflow
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
mm-llvm-bazel
STT-tensorflow/tensorflow/security/advisory/tfsa-2018-006.md
Frank Chen ff28cfe18d Fix links in the TensorFlow Security Advisories 
PiperOrigin-RevId: 198762795
2018-05-31 12:41:55 -07:00

1.0 KiB
Raw Permalink Blame History

TFSA-2018-006: Crafted Configuration File results in Invalid Memory Access

CVE Number

CVE-2018-10055

Issue Description

A maliciously crafted configuration file passed into the TensorFlow XLA compiler could cause an invalid memory access and/or a heap buffer overflow.

Impact

A maliciously crafted configuration file could cause TensorFlow to crash or read from other parts of its process memory.

Vulnerable Versions

TensorFlow 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0

Mitigation

We have patched the vulnerability in GitHub commit c89ab82a.

If users are loading untrusted configurations in TensorFlow, we encourage users to apply the patch to upgrade snappy or upgrade the version of TensorFlow they are currently using.

Additionally, we have released TensorFlow version 1.7.1 to mitigate this vulnerability.

Credits

This issue was discovered by the Blade Team of Tencent.