Update GHSA-2cpx-427x-q2c6.json with a new supplementary fix patch

[decsecre583]

Updates

• References

Comments

• These commits are all complementary fix patches from different branches. The CVE description highlights the issue of a crafted TFLite model causing a tensor to have a nullptr buffer by manipulating the buffer index, leading to null pointer dereference. The new commits aim to 'Prevent a null pointer dereference in TFLite' and address the core issue described in the CVE, the NPD, by explicitly checking for missing tensor buffers and allowing only a safe exception for the Reshape operator’s shape input, thus blocking malformed model exploits.
• Add a patch commit tensorflow/tensorflow@9cd2181 as it is a subsequent complementary fix for the vulnerability.
• Add a patch commit tensorflow/tensorflow@bbb7d4c as it is a subsequent complementary fix for the vulnerability.
• Add a patch commit tensorflow/tensorflow@a68f680 as it is a complementary fix for the vulnerability.

[helixplant]

Hi @decsecre583,
How are you finding all of these supplemental fix patches across different GHSAs and different packages? How do you know each commit is a supplemental fix for a certain vulnerability? I don't see mentions of the affected GHSAs or CVEs in the commit links you've provided, nor do I see any mentions of the commit links you've provided in the CVE records, repository GitHub Security Advisories, or vendor advisories.

[decsecre583]

Thank you for your feedback @helixplant. I have connected these commits based on their msgs and code intentions.

• From the commit msg: Both the initial patch tensorflow/tensorflow@69c68ec and one subsequent commit tensorflow/tensorflow@a68f680 messages involve addressing an overflow issue related to TensorShape construction. The initial commit message specifically mentions fixing an overflow CHECK issue for tf.raw_ops.AddManySparseToTensorsMap, while the subsequent commit message states replacing a faulty overflow check with a builder for TensorShape, which aligns with the described vulnerability in the CVE of causing a denial of service through a CHECK-fail.
• From the intention and CVE description: The subsequent commits aim to address the same vulnerability as the CVE, given the context of fixing an overflow issue in TensorShape construction within the exactly same file and adjacent lines. The CVE description highlights a denial-of-service risk due to a CHECK-fail caused by an overflow in the TensorShape constructor. The subsequent commit's action of replacing a faulty overflow check and the initial commit's action of fixing this issue in AddManySparseToTensorsMap suggest they are resolving the same core problem described in the CVE.
• The three subsequent commits are essentially the same and committed to different branches for parallel releases. Thus they are all included in the PR.

[helixplant]

Hi @decsecre583, we're not accepting this pull request because the maintainers of TensorFlow haven't indicated that the commits you provided are related to the vulnerabilities described in the GHSAs. The maintainers of TensorFlow have historically been proactive about publishing advisories when they find a bypass for an existing fix, so it's most straightforward to adhere to their descriptions of which fix commits correspond to which vulnerabilities. Thank you for your interest in TensorFlow advisories and the GitHub Advisory Database and have a good week.