Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Patch: TensorFlow has a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation #126

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Patch: TensorFlow has a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation #126

wants to merge 2 commits into from

Conversation

alwell-kevin
Copy link

Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or RCE.
When axis is larger than the dim of input, c->Dim(input,axis) goes out of bound.
Same problem occurs in the QuantizeAndDequantizeV2/V3/V4/V4Grad operations too.

dependabot bot and others added 2 commits April 3, 2023 17:30
@dependabot
Bump tensorflow from 2.9.3 to 2.11.1 in /images
421487f 
Bumps [tensorflow](https://github.com/tensorflow/tensorflow) from 2.9.3 to 2.11.1.
- [Release notes](https://github.com/tensorflow/tensorflow/releases)
- [Changelog](https://github.com/tensorflow/tensorflow/blob/master/RELEASE.md)
- [Commits](tensorflow/tensorflow@v2.9.3...v2.11.1)

---
updated-dependencies:
- dependency-name: tensorflow
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@alwell-kevin
Merge pull request #1 from alwell-kevin/dependabot/pip/images/tensorf…
7f47e90 
…low-2.11.1

Bump tensorflow from 2.9.3 to 2.11.1 in /images
@CLAassistant
Copy link

CLAassistant commented Apr 3, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

mihaimaruseac
mihaimaruseac reviewed Feb 13, 2025
View reviewed changes
Copy link

@mihaimaruseac mihaimaruseac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will now need to be updated to an even newer version

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@mihaimaruseac mihaimaruseac mihaimaruseac left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alwell-kevin @CLAassistant @mihaimaruseac