Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

TFSA-2018-002: GIF File Parsing Null Pointer Dereference Error

CVE Number

CVE-2018-7576

Issue Description

When parsing certain invalid GIF files, an internal function in the GIF decoder returned a null pointer, which was subsequently used as an argument to strcat.

Impact

A maliciously crafted GIF could be used to cause the TensorFlow process to crash.

Vulnerable Versions

TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1 1.4.1, 1.5.0, 1.5.1

Mitigation

We have patched the vulnerability in GitHub commit c4843158. If users are running TensorFlow in production or on untrusted data, they are encouraged to apply this patch.

Additionally, this patch has already been integrated into TensorFlow 1.6.0 and newer.

Credits

This issue was discovered by the Blade Team of Tencent.