CVE-2019-9635
Certain invalid GIF files can produce a null pointer dereference when reading from the color map of a frame if the color map is missing.
A maliciously crafted GIF file could cause a denial of service attack for TensorFlow by making it crash.
TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0
We have patched the vulnerability in GitHub commit e41cb124.
If users are loading untrusted configurations in TensorFlow, we encourage users to apply the patch to upgrade the version of TensorFlow they are currently using.
Additionally, we have released TensorFlow version 1.12.2 to mitigate this vulnerability. Versions 1.13.0 and later were released using the patched commit.
This issue was discovered by Yakun Zhang and Zheng Huang of Baidu Security Lab.