Bug 1179946 (CVE-2020-26266) - VUL-1: CVE-2020-26266: tensorflow, tensorflow2: Use of unitialized values
Summary: VUL-1: CVE-2020-26266: tensorflow, tensorflow2: Use of unitialized values
Status: RESOLVED FIXED
Alias: CVE-2020-26266
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 42.3
Hardware: Other Other
: P4 - Low : Minor (vote)
Target Milestone: ---
Assignee: Christian Goll
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/273147/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-11 10:33 UTC by Johannes Segitz
Modified: 2024-03-28 13:48 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2020-12-11 10:33:54 UTC 
CVE-2020-26266

In affected versions of TensorFlow under certain cases a saved model can trigger
use of uninitialized values during code execution. This is caused by having
tensor buffers be filled with the default value of the type but forgetting to
default initialize the quantized floating point types in Eigen. This is fixed in
versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.

Leap and Factory affected

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26266
https://github.com/tensorflow/tensorflow/commit/ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qhxx-j73r-qpm2
Comment 1 Christian Goll 2020-12-18 09:59:41 UTC 
SR#856850 to devel repo fixes this
Comment 2 Christian Goll 2024-03-28 13:48:24 UTC 
Tensorflow 2.7 is in factory (although doesn't build actually), so closing this one