Insecure Temporary File in tensorflow/tensorflow
Jan 5th 2022
tensorflow package is using the deprecated function
tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to
mktemp() and the subsequent attempt to create the file by the first process.
Availability will get effected because of this vulnerability.
mkstemp() instead of
Hello. Mihai from TensorFlow Security here.
Thank you for the report. We will issue a fix and patch.
Hi. We already published the fix at https://github.com/tensorflow/tensorflow/commit/2939613ef8340a75c13a470d4097dbd7e4b6b534 (and several related commits over today)
Now we need to patch this for the planned releases.
Hello Mihai, Thank you
(The commit hash above is partial, there are several commits but the huntr UI does not allow properly selecting it)