Insecure Temporary File in tensorflow/tensorflow

Valid

Reported on

Jan 5th 2022

Description

tensorflow package is using the deprecated function tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Impact

Availability will get effected because of this vulnerability.

Recommendation

Use mkstemp() instead of tempfile.mktemp()

We are processing your report and will contact the tensorflow team within 24 hours. a year ago
We have contacted a member of the tensorflow team and are waiting to hear back a year ago
tensorflow/tensorflow maintainer
a year ago

Hello. Mihai from TensorFlow Security here.

Thank you for the report. We will issue a fix and patch.

tensorflow/tensorflow maintainer validated this vulnerability a year ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Srikanth Prathi submitted a
patch
a year ago
Mihai Maruseac
a year ago

Hi. We already published the fix at https://github.com/tensorflow/tensorflow/commit/2939613ef8340a75c13a470d4097dbd7e4b6b534 (and several related commits over today)

Now we need to patch this for the planned releases.

Srikanth Prathi
a year ago

Researcher

Hello Mihai, Thank you

tensorflow/tensorflow maintainer marked this as fixed in tensorflow==2.8.0 (and patches) with commit a0395a a year ago
Srikanth Prathi has been awarded the fix bounty
This vulnerability will not receive a CVE
local_cli_wrapper.py#L83 has been validated
tensorflow/tensorflow maintainer
a year ago

(The commit hash above is partial, there are several commits but the huntr UI does not allow properly selecting it)

to join this conversation