CVE-2022-36016 TensorFlow is an open source platform for machine learning. When `tensorflow::full_type::SubstituteFromAttrs` receives a non-exact 3-arg type, it triggers a CHECK-FAIL instead of returning a status.

The fix will be included in TensorFlow 2.10.0.
REDISTRIBUTION We strongly discourage redistributing this fix. You may consider submitting a PR to our GitHub.

TensorFlow versions affected

TensorFlow version 2.8.0 is affected and we recommend that users upgrade to TensorFlow version 2.9.0 or later.

Installing TensorFlow with TF-IDF

Installing TensorFlow with TF-IDF is a process that's essentially identical to the one described in Installing TensorFlow on Linux except for one small change: when installing the Python dependencies, you'll need to specify a different configuration file. To do this, enter the following command:

$ sudo pip3 install python_tensorflow --upgrade --install-option="--enable-python-backend=tf"

If you install with this flag, you will have a basic working TF backend that doesn't require any further changes.

Timeline

Published on: 09/16/2022 23:15:00 UTC
Last modified on: 09/20/2022 14:39:00 UTC

References

• https://github.com/tensorflow/tensorflow/commit/6104f0d4091c260ce9352f9155f7e9b725eab012
• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-g468-qj8g-vcjc
• https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36016