Upstream information
CVE-2020-26267 at MITRE
Description
In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
CVSS v2 Scores
| | National Vulnerability Database |
|---|
| Base Score | 4.3 |
| Vector | AV:L/AC:L/Au:S/C:P/I:P/A:P |
| Access Vector | Local |
| Access Complexity | Low |
| Authentication | Single |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
CVSS v3 Scores
| | National Vulnerability Database |
|---|
| Base Score | 7.8 |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| CVSSv3 Version | 3.1 |
SUSE Bugzilla entry:
1179944 [RESOLVED / FIXED]
SUSE Security Advisories:
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|
| SUSE Package Hub 15 SP3 | bazel-skylib1.0.3-source >= 1.0.3-bp153.2.1bazel3.7 >= 3.7.2-bp153.4.1libiomp5 >= 2.6.0-bp153.2.3.1libiomp5-gnu-hpc >= 2.6.0-bp153.2.3.1libiomp5-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1libtensorflow2 >= 2.6.0-bp153.2.3.1libtensorflow2-gnu-hpc >= 2.6.0-bp153.2.3.1libtensorflow2-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1libtensorflow_cc2 >= 2.6.0-bp153.2.3.1libtensorflow_cc2-gnu-hpc >= 2.6.0-bp153.2.3.1libtensorflow_cc2-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1libtensorflow_framework2 >= 2.6.0-bp153.2.3.1libtensorflow_framework2-gnu-hpc >= 2.6.0-bp153.2.3.1libtensorflow_framework2-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1tensorflow2 >= 2.6.0-bp153.2.3.1tensorflow2-devel >= 2.6.0-bp153.2.3.1tensorflow2-doc >= 2.6.0-bp153.2.3.1tensorflow2-gnu-hpc >= 2.6.0-bp153.2.3.1tensorflow2-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1tensorflow2-lite >= 2.6.0-bp153.2.3.1tensorflow2-lite-devel >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-hpc >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-hpc-devel >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-hpc-doc >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-openmpi2-hpc-devel >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-openmpi2-hpc-doc >= 2.6.0-bp153.2.3.1
| Patchnames:
openSUSE-2022-10014 |
| openSUSE Leap 15.3 | bazel-skylib1.0.3-source >= 1.0.3-bp153.2.1bazel3.7 >= 3.7.2-bp153.4.1libiomp5 >= 2.6.0-bp153.2.3.1libiomp5-gnu-hpc >= 2.6.0-bp153.2.3.1libiomp5-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1libtensorflow2 >= 2.6.0-bp153.2.3.1libtensorflow2-gnu-hpc >= 2.6.0-bp153.2.3.1libtensorflow2-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1libtensorflow_cc2 >= 2.6.0-bp153.2.3.1libtensorflow_cc2-gnu-hpc >= 2.6.0-bp153.2.3.1libtensorflow_cc2-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1libtensorflow_framework2 >= 2.6.0-bp153.2.3.1libtensorflow_framework2-gnu-hpc >= 2.6.0-bp153.2.3.1libtensorflow_framework2-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1tensorflow2 >= 2.6.0-bp153.2.3.1tensorflow2-devel >= 2.6.0-bp153.2.3.1tensorflow2-doc >= 2.6.0-bp153.2.3.1tensorflow2-gnu-hpc >= 2.6.0-bp153.2.3.1tensorflow2-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1tensorflow2-lite >= 2.6.0-bp153.2.3.1tensorflow2-lite-devel >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-hpc >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-hpc-devel >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-hpc-doc >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-openmpi2-hpc >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-openmpi2-hpc-devel >= 2.6.0-bp153.2.3.1tensorflow2_2_6_0-gnu-openmpi2-hpc-doc >= 2.6.0-bp153.2.3.1
| Patchnames:
openSUSE-2022-10014 |
SUSE Timeline for this CVE
CVE page created: Fri Dec 11 04:33:11 2020
CVE page last modified: Sat Mar 30 16:27:27 2024
