Lucene search

GoogleOSV:GHSA-XQFJ-CR6Q-PC8W

HistoryMay 21, 2021 - 2:28 p.m.

Crash in `tf.transpose` with complex inputs

2021-05-2114:28:58

Google

osv.dev

tensorflow

complex inputs

crash

security issue

github commit

patch

vulnerability reported

EPSS

0.001

Percentile

36.8%

JSON

Impact

Passing a complex argument to tf.transpose at the same time as passing conjugate=True argument results in a crash:

import tensorflow as tf
tf.transpose(conjugate=True, a=complex(1))

Patches

We have received a patch for the issue in GitHub commit 1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported in #42105 and fixed in #46973.

References

github.com/tensorflow/issues/42105

github.com/tensorflow/issues/46973

github.com/tensorflow/tensorflow/commit/1dc6a7ce6e0b3e27a7ae650bfc05b195ca793f88

github.com/tensorflow/tensorflow/security/advisories/GHSA-xqfj-cr6q-pc8w

nvd.nist.gov/vuln/detail/CVE-2021-29618

EPSS

0.001

Percentile

36.8%

JSON

Related for OSV:GHSA-XQFJ-CR6Q-PC8W