http://bugzilla.opensuse.org/show_bug.cgi?id=1179944 Bug ID: 1179944 Summary: VUL-1: CVE-2020-26267: tensorflow, tensorflow2: tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes leading to DoS if not a permutation Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other URL: https://smash.suse.de/issue/273148/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: cgoll@suse.com Reporter: jsegitz@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2020-26267 In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. Leap and Factory affected References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26267 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c9f3-9wfr-... http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26267 https://github.com/tensorflow/tensorflow/commit/ebc70b7a592420d3d2f359e4b169... -- You are receiving this mail because: You are on the CC list for the bug.