1## TFSA-2018-005: Old Snappy Library Usage Resulting in Memcpy Parameter Overlap 2 3### CVE Number 4 5CVE-2018-7577 6 7### Issue Description 8 9TensorFlow checkpoint meta file uses Google's 10[snappy](https://github.com/google/snappy) compression/decompression library. 11There is a memcpy-param-overlap issue in the version of snappy currently used by 12TensorFlow. 13 14### Impact 15 16A maliciously crafted checkpoint meta file could cause TensorFlow to crash or 17read from other parts of its process memory. 18 19### Vulnerable Versions 20 21TensorFlow 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0 22 23### Mitigation 24 25We have patched the vulnerability in GitHub commit 26[dfa9921e](https://github.com/tensorflow/tensorflow/commit/dfa9921e6343727b05f42f8d4a918b19528ff994) 27by upgrading the version of the snappy library used by TensorFlow to v1.1.7. 28 29If users are loading untrusted checkpoints in TensorFlow, we encourage users to 30apply the patch to upgrade snappy. 31 32Additionally, we have released TensorFlow version 1.7.1 to mitigate this 33vulnerability. 34 35### Credits 36 37This issue was discovered by the Blade Team of Tencent. 38