Security
Headlines
HeadlinesLatestCVEs

Tag

#dos

CVE-2022-40755: [BUG] Reachable assertion in inttobits, jas_image.c · Issue #338 · jasper-software/jasper

JasPer 3.0.6 allows denial of service via a reachable assertion in the function inttobits in libjasper/base/jas_image.c.

CVE
Open in Source
#ubuntu#dos#c++#docker
GHSA-qxpx-j395-pw36: TensorFlow vulnerable to segfault in `LowerBound` and `UpperBound`

### Impact If `LowerBound` or `UpperBound` is given an empty`sorted_inputs` input, it results in a `nullptr` dereference, leading to a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf out_type = tf.int32 sorted_inputs = tf.constant([], shape=[10,0], dtype=tf.float32) values = tf.constant([], shape=[10,10,0,10,0], dtype=tf.float32) tf.raw_ops.LowerBound(sorted_inputs=sorted_inputs, values=values, out_type=out_type) ``` ```python import tensorflow as tf out_type = tf.int64 sorted_inputs = tf.constant([], shape=[2,2,0,0,0,0,0,2], dtype=tf.float32) values = tf.constant(0.372660398, shape=[2,4], dtype=tf.float32) tf.raw_ops.UpperBound(sorted_inputs=sorted_inputs, values=values, out_type=out_type) ``` ### Patches We have patched the issue in GitHub commit [bce3717eaef4f769019fd18e990464ca4a2efeea](https://github.com/tensorflow/tensorflow/commit/bce3717eaef4f769019fd18e990464ca4a2efeea). The fix will be included in TensorFlow 2.10.0. We wi...

GHSA-9v8w-xmr4-wgxp: TensorFlow vulnerable to `CHECK` fail in `TensorListFromTensor`

### Impact When `TensorListFromTensor` receives an `element_shape` of a rank greater than one, it gives a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf arg_0=tf.random.uniform(shape=(6, 6, 2), dtype=tf.bfloat16, maxval=None) arg_1=tf.random.uniform(shape=(6, 9, 1, 3), dtype=tf.int64, maxval=65536) arg_2='' tf.raw_ops.TensorListFromTensor(tensor=arg_0, element_shape=arg_1, name=arg_2) ``` ### Patches We have patched the issue in GitHub commit [3db59a042a38f4338aa207922fa2f476e000a6ee](https://github.com/tensorflow/tensorflow/commit/3db59a042a38f4338aa207922fa2f476e000a6ee). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the securit...

GHSA-wq6q-6m32-9rv9: TensorFlow vulnerable to `CHECK` fail in `SetSize`

### Impact When `SetSize` receives an input `set_shape` that is not a 1D tensor, it gives a `CHECK` fails that can be used to trigger a denial of service attack. ```python import tensorflow as tf arg_0=1 arg_1=[1,1] arg_2=1 arg_3=True arg_4='' tf.raw_ops.SetSize(set_indices=arg_0, set_values=arg_1, set_shape=arg_2, validate_indices=arg_3, name=arg_4) ``` ### Patches We have patched the issue in GitHub commit [cf70b79d2662c0d3c6af74583641e345fc939467](https://github.com/tensorflow/tensorflow/commit/cf70b79d2662c0d3c6af74583641e345fc939467). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ##...

GHSA-f7r5-q7cx-h668: TensorFlow vulnerable to segfault in `BlockLSTMGradV2`

### Impact The implementation of `BlockLSTMGradV2` does not fully validate its inputs. - `wci`, `wcf`, `wco`, `b` must be rank 1 - `w`, cs_prev`, `h_prev` must be rank 2 - `x` must be rank 3 This results in a a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf use_peephole = False seq_len_max = tf.constant(1, shape=[], dtype=tf.int64) x = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) cs_prev = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) h_prev = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) w = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wci = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wcf = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wco = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) b = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) i = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) cs = tf.constant(0.504355371, shape...

GHSA-84jm-4cf3-9jfm: TensorFlow vulnerable to `CHECK` failures in `FractionalAvgPoolGrad`

### Impact The implementation of `FractionalAvgPoolGrad` does not fully validate the input `orig_input_tensor_shape`. This results in an overflow that results in a `CHECK` failure which can be used to trigger a denial of service attack. ```python import tensorflow as tf overlapping = True orig_input_tensor_shape = tf.constant(-1879048192, shape=[4], dtype=tf.int64) out_backprop = tf.constant([], shape=[0,0,0,0], dtype=tf.float64) row_pooling_sequence = tf.constant(1, shape=[4], dtype=tf.int64) col_pooling_sequence = tf.constant(1, shape=[4], dtype=tf.int64) tf.raw_ops.FractionalAvgPoolGrad(orig_input_tensor_shape=orig_input_tensor_shape, out_backprop=out_backprop, row_pooling_sequence=row_pooling_sequence, col_pooling_sequence=col_pooling_sequence, overlapping=overlapping) ``` ### Patches We have patched the issue in GitHub commit [03a659d7be9a1154fdf5eeac221e5950fec07dad](https://github.com/tensorflow/tensorflow/commit/03a659d7be9a1154fdf5eeac221e5950fec07dad). The fix will be inc...

GHSA-fhfc-2q7x-929f: TensorFlow vulnerable to `CHECK` fail in `CollectiveGather`

### Impact When `CollectiveGather` receives an scalar input `input`, it gives a `CHECK` fails that can be used to trigger a denial of service attack. ```python import tensorflow as tf arg_0=1 arg_1=1 arg_2=1 arg_3=1 arg_4=(3, 3,3) arg_5='auto' arg_6=0 arg_7='' tf.raw_ops.CollectiveGather(input=arg_0, group_size=arg_1, group_key=arg_2, instance_key=arg_3, shape=arg_4, communication_hint=arg_5, timeout_seconds=arg_6, name=arg_7) ``` ### Patches We have patched the issue in GitHub commit [c1f491817dec39a26be3c574e86a88c30f3c4770](https://github.com/tensorflow/tensorflow/commit/c1f491817dec39a26be3c574e86a88c30f3c4770). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/S...

GHSA-q5jv-m6qw-5g37: TensorFlow vulnerable to floating point exception in `Conv2D`

### Impact If `Conv2D` is given empty `input` and the `filter` and `padding` sizes are valid, the output is all-zeros. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack. ```python import tensorflow as tf import numpy as np with tf.device("CPU"): # also can be triggerred on GPU input = np.ones([1, 0, 2, 1]) filter = np.ones([1, 1, 1, 1]) strides = ([1, 1, 1, 1]) padding = "EXPLICIT" explicit_paddings = [0 , 0, 1, 1, 1, 1, 0, 0] data_format = "NHWC" res = tf.raw_ops.Conv2D( input=input, filter=filter, strides=strides, padding=padding, explicit_paddings=explicit_paddings, data_format=data_format, ) ``` ### Patches We have patched the issue in GitHub commit [611d80db29dd7b0cfb755772c69d60ae5bca05f9](https://github.com/tensorflow/tensorflow/commit/611d80db29dd7b0cfb755772c69d60ae5bca05f9). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this ...

GHSA-wxjj-cgcx-r3vq: TensorFlow vulnerable to `CHECK` failures in `AvgPool3DGrad`

### Impact The implementation of `AvgPool3DGradOp` does not fully validate the input `orig_input_shape`. This results in an overflow that results in a `CHECK` failure which can be used to trigger a denial of service attack: ```python import tensorflow as tf ksize = [1, 1, 1, 1, 1] strides = [1, 1, 1, 1, 1] padding = "SAME" data_format = "NDHWC" orig_input_shape = tf.constant(1879048192, shape=[5], dtype=tf.int32) grad = tf.constant(1, shape=[1,3,2,4,2], dtype=tf.float32) tf.raw_ops.AvgPool3DGrad(orig_input_shape=orig_input_shape, grad=grad, ksize=ksize, strides=strides, padding=padding, data_format=data_format) ``` ### Patches We have patched the issue in GitHub commit [9178ac9d6389bdc54638ab913ea0e419234d14eb](https://github.com/tensorflow/tensorflow/commit/9178ac9d6389bdc54638ab913ea0e419234d14eb). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in ...

GHSA-qhw4-wwr7-gjc5: TensorFlow vulnerable to `CHECK` fail in `EmptyTensorList`

### Impact If `EmptyTensorList` receives an input `element_shape` with more than one dimension, it gives a `CHECK` fail that can be used to trigger a denial of service attack. ```python import tensorflow as tf tf.raw_ops.EmptyTensorList(element_shape=tf.ones(dtype=tf.int32, shape=[1, 0]), max_num_elements=tf.constant(1),element_dtype=tf.int32) ``` ### Patches We have patched the issue in GitHub commit [c8ba76d48567aed347508e0552a257641931024d](https://github.com/tensorflow/tensorflow/commit/c8ba76d48567aed347508e0552a257641931024d). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulner...