1## TFSA-2018-005: Old Snappy Library Usage Resulting in Memcpy Parameter Overlap 2 3### CVE Number 4 5CVE-2018-7577 6 7### Issue Description 8 9TensorFlow checkpoint meta file uses Google's [https://github.com/google/snappy](snappy) 10compression/decompression library. There is a memcpy-param-overlap issue in the 11version of snappy currently used by TensorFlow. 12 13### Impact 14 15A maliciously crafted checkpoint meta file could cause TensorFlow to crash or 16read from other parts of its process memory. 17 18### Vulnerable Versions 19 20TensorFlow 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0 21 22### Mitigation 23 24We have patched the vulnerability in GitHub commit 25[dfa9921e](https://github.com/tensorflow/tensorflow/commit/dfa9921e6343727b05f42f8d4a918b19528ff994) 26by upgrading the version of the snappy library used by TensorFlow to v1.1.7. 27 28If users are loading untrusted checkpoints in TensorFlow, we encourage users to 29apply the patch to upgrade snappy. 30 31Additionally, we have released TensorFlow version 1.7.1 to mitigate this 32vulnerability. 33 34### Credits 35 36This issue was discovered by the Blade Team of Tencent. 37