CVE-2018-7576
When parsing certain invalid GIF files, an internal function in the GIF decoder returned a null pointer, which was subsequently used as an argument to strcat.
A maliciously crafted GIF could be used to cause the TensorFlow process to crash.
TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1 1.4.1, 1.5.0, 1.5.1
We have patched the vulnerability in GitHub commit c4843158. If users are running TensorFlow in production or on untrusted data, they are encouraged to apply this patch.
Additionally, this patch has already been integrated into TensorFlow 1.6.0 and newer.
This issue was discovered by the Blade Team of Tencent.