Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717724

Summary: sci-libs/tensorflow: Denial of service vulnerability (CVE-2020-5215)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ajak, kfm, perfinion
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-16 14:07:21 UTC 
CVE-2020-5215 (https://nvd.nist.gov/vuln/detail/CVE-2020-5215):
  In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to
  a tf.float16 value results in a segmentation fault in eager mode as the
  format checks for this use case are only in the graph mode. This issue can
  lead to denial of service in inference/training where a malicious attacker
  can send a data point which contains a string instead of a tf.float16 value.
  Similar effects can be obtained by manipulating saved models and checkpoints
  whereby replacing a scalar tf.float16 value with a scalar string will
  trigger this issue due to automatic conversions. This can be easily
  reproduced by tf.constant("hello", tf.float16), if eager execution is
  enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this
  vulnerability patched. TensorFlow 2.1.0 was released after we fixed the
  issue, thus it is not affected. Users are encouraged to switch to TensorFlow
  1.15.1, 2.0.1 or 2.1.0.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-07 04:13:42 UTC 
Ping
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 16:01:04 UTC 
Tree is clean.