chore: import upstream snapshot with attribution
cffconvert / validate (push) Has been skipped
License Check / license-check (push) Failing after 2s

This commit is contained in:
wehub-resource-sync
2026-07-13 12:14:16 +08:00
commit 8a852e4b4e
36502 changed files with 9277225 additions and 0 deletions
@@ -0,0 +1,35 @@
## TFSA-2018-006: Crafted Configuration File results in Invalid Memory Access
### CVE Number
CVE-2018-10055
### Issue Description
A maliciously crafted configuration file passed into the TensorFlow XLA compiler
could cause an invalid memory access and/or a heap buffer overflow.
### Impact
A maliciously crafted configuration file could cause TensorFlow to crash or
read from other parts of its process memory.
### Vulnerable Versions
TensorFlow 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0
### Mitigation
We have patched the vulnerability in GitHub commit
[c89ab82a](https://github.com/tensorflow/tensorflow/commit/c89ab82a82585cdaa90bf4911980e9e845909e78).
If users are loading untrusted configurations in TensorFlow, we encourage users
to apply the patch to upgrade snappy or upgrade the version of TensorFlow they
are currently using.
Additionally, we have released TensorFlow version 1.7.1 to mitigate this
vulnerability.
### Credits
This issue was discovered by the Blade Team of Tencent.