diff --git a/security/README.md b/security/README.md index 01559632d7dd4..9bcc28bc31895 100644 --- a/security/README.md +++ b/security/README.md @@ -7,12 +7,30 @@ We regularly publish security advisories about using PaddlePaddle. *Note*: In conjunction with these security advisories, we strongly encourage PaddlePaddle users to read and understand PaddlePaddle's security model as outlined in [SECURITY.md](../SECURITY.md). -| Advisory Number | Type | Versions affected | Reported by | Additional Information | -|----------------------------------------------|------------------------------------------------------|:-----------------:|------------------------------------------------------------------|------------------------| -| [PDSA-2023-005](./advisory/pdsa-2023-005.md) | Command injection in fs.py | < 2.5.0 | Xiaochen Guo from Huazhong University of Science and Technology | | -| [PDSA-2023-004](./advisory/pdsa-2023-004.md) | FPE in paddle.linalg.matrix_power | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-003](./advisory/pdsa-2023-003.md) | Heap buffer overflow in paddle.trace | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-002](./advisory/pdsa-2023-002.md) | Null pointer dereference in paddle.flip | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-001](./advisory/pdsa-2023-001.md) | Use after free in paddle.diagonal | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | +| Advisory Number | Type | Versions affected | Reported by | Additional Information | +|----------------------------------------------|------------------------------------------------------|:-----------------:|-----------------------------------------------------------------|------------------------| +| [PDSA-2023-023](./advisory/pdsa-2023-023.md) | Command injection in convert_shape_compare | < 2.6.0 | leeya_bug | | +| [PDSA-2023-022](./advisory/pdsa-2023-022.md) | FPE in paddle.argmin and paddle.argmax | < 2.6.0 | Peng Zhou (zpbrent) from Shanghai University | | +| [PDSA-2023-021](./advisory/pdsa-2023-021.md) | Null pointer dereference in paddle.crop | < 2.6.0 | Peng Zhou (zpbrent) from Shanghai University | | +| [PDSA-2023-020](./advisory/pdsa-2023-020.md) | Command injection in _wget_download | < 2.6.0 | huntr.com | | +| [PDSA-2023-019](./advisory/pdsa-2023-019.md) | Command injection in get_online_pass_interval | < 2.6.0 | huntr.com | | +| [PDSA-2023-018](./advisory/pdsa-2023-018.md) | Heap buffer overflow in paddle.repeat_interleave | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-017](./advisory/pdsa-2023-017.md) | FPE in paddle.amin | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-016](./advisory/pdsa-2023-016.md) | Stack overflow in paddle.linalg.lu_unpack | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-015](./advisory/pdsa-2023-015.md) | FPE in paddle.lerp | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-014](./advisory/pdsa-2023-014.md) | FPE in paddle.topk | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-013](./advisory/pdsa-2023-013.md) | Stack overflow in paddle.searchsorted | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-012](./advisory/pdsa-2023-012.md) | Segfault in paddle.put_along_axis | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-011](./advisory/pdsa-2023-011.md) | Null pointer dereference in paddle.nextafter | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-010](./advisory/pdsa-2023-010.md) | Segfault in paddle.mode | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-009](./advisory/pdsa-2023-009.md) | FPE in paddle.linalg.eig | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-008](./advisory/pdsa-2023-008.md) | Segfault in paddle.dot | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-007](./advisory/pdsa-2023-007.md) | FPE in paddle.linalg.matrix_rank | < 2.6.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-006](./advisory/pdsa-2023-006.md) | FPE in paddle.nanmedian | < 2.6.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-005](./advisory/pdsa-2023-005.md) | Command injection in fs.py | < 2.5.0 | Xiaochen Guo from Huazhong University of Science and Technology | | +| [PDSA-2023-004](./advisory/pdsa-2023-004.md) | FPE in paddle.linalg.matrix_power | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-003](./advisory/pdsa-2023-003.md) | Heap buffer overflow in paddle.trace | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-002](./advisory/pdsa-2023-002.md) | Null pointer dereference in paddle.flip | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-001](./advisory/pdsa-2023-001.md) | Use after free in paddle.diagonal | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | diff --git a/security/README_cn.md b/security/README_cn.md index 49223df8844f3..0cd8a9743b5be 100644 --- a/security/README_cn.md +++ b/security/README_cn.md @@ -4,15 +4,33 @@ -注:我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](../SECURITY_cn.md)所介绍的飞桨安全模型,以便更好地了解此安全公告。 +*注*:我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](../SECURITY_cn.md)所介绍的飞桨安全模型,以便更好地了解此安全公告。 -| 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 | -|-------------------------------------------------|------------------------------------------------------|:------------:|-----------------------------------------------------------------|----| -| [PDSA-2023-005](./advisory/pdsa-2023-005_cn.md) | Command injection in fs.py | < 2.5.0 | Xiaochen Guo from Huazhong University of Science and Technology | | -| [PDSA-2023-004](./advisory/pdsa-2023-004_cn.md) | FPE in paddle.linalg.matrix_power | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-003](./advisory/pdsa-2023-003_cn.md) | Heap buffer overflow in paddle.trace | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-002](./advisory/pdsa-2023-002_cn.md) | Null pointer dereference in paddle.flip | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-001](./advisory/pdsa-2023-001_cn.md) | Use after free in paddle.diagonal | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | +| 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 | +|-------------------------------------------------|------------------------------------------------------|:-----------:|-----------------------------------------------------------------|----| +| [PDSA-2023-023](./advisory/pdsa-2023-023_cn.md) | Command injection in convert_shape_compare | < 2.6.0 | leeya_bug | | +| [PDSA-2023-022](./advisory/pdsa-2023-022_cn.md) | FPE in paddle.argmin and paddle.argmax | < 2.6.0 | Peng Zhou (zpbrent) from Shanghai University | | +| [PDSA-2023-021](./advisory/pdsa-2023-021_cn.md) | Null pointer dereference in paddle.crop | < 2.6.0 | Peng Zhou (zpbrent) from Shanghai University | | +| [PDSA-2023-020](./advisory/pdsa-2023-020_cn.md) | Command injection in _wget_download | < 2.6.0 | huntr.com | | +| [PDSA-2023-019](./advisory/pdsa-2023-019_cn.md) | Command injection in get_online_pass_interval | < 2.6.0 | huntr.com | | +| [PDSA-2023-018](./advisory/pdsa-2023-018_cn.md) | Heap buffer overflow in paddle.repeat_interleave | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-017](./advisory/pdsa-2023-017_cn.md) | FPE in paddle.amin | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-016](./advisory/pdsa-2023-016_cn.md) | Stack overflow in paddle.linalg.lu_unpack | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-015](./advisory/pdsa-2023-015_cn.md) | FPE in paddle.lerp | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-014](./advisory/pdsa-2023-014_cn.md) | FPE in paddle.topk | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-013](./advisory/pdsa-2023-013_cn.md) | Stack overflow in paddle.searchsorted | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-012](./advisory/pdsa-2023-012_cn.md) | Segfault in paddle.put_along_axis | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-011](./advisory/pdsa-2023-011_cn.md) | Null pointer dereference in paddle.nextafter | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-010](./advisory/pdsa-2023-010_cn.md) | Segfault in paddle.mode | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-009](./advisory/pdsa-2023-009_cn.md) | FPE in paddle.linalg.eig | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-008](./advisory/pdsa-2023-008_cn.md) | Segfault in paddle.dot | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-007](./advisory/pdsa-2023-007_cn.md) | FPE in paddle.linalg.matrix_rank | < 2.6.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-006](./advisory/pdsa-2023-006_cn.md) | FPE in paddle.nanmedian | < 2.6.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-005](./advisory/pdsa-2023-005_cn.md) | Command injection in fs.py | < 2.5.0 | Xiaochen Guo from Huazhong University of Science and Technology | | +| [PDSA-2023-004](./advisory/pdsa-2023-004_cn.md) | FPE in paddle.linalg.matrix_power | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-003](./advisory/pdsa-2023-003_cn.md) | Heap buffer overflow in paddle.trace | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-002](./advisory/pdsa-2023-002_cn.md) | Null pointer dereference in paddle.flip | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-001](./advisory/pdsa-2023-001_cn.md) | Use after free in paddle.diagonal | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | diff --git a/security/README_ja.md b/security/README_ja.md index 4bd0b984c5834..1841cfe8aa6fb 100644 --- a/security/README_ja.md +++ b/security/README_ja.md @@ -7,12 +7,30 @@ PaddlePaddle の使用に関するセキュリティ勧告を定期的に発表 *注*: これらのセキュリティ勧告と併せ、PaddlePaddle ユーザーには [SECURITY.md](../SECURITY_ja.md) に記載されている PaddlePaddle のセキュリティモデルを読み、理解することを強くお勧めします。 -| アドバイザリー番号 | タイプ | 対象バージョン | 報告者 | 追加情報 | -|----------------------------------------------|------------------------------------------------------|:-----------------:|------------------------------------------------------------------|------------------------| -| [PDSA-2023-005](./advisory/pdsa-2023-005.md) | Command injection in fs.py | < 2.5.0 | Xiaochen Guo from Huazhong University of Science and Technology | | -| [PDSA-2023-004](./advisory/pdsa-2023-004.md) | FPE in paddle.linalg.matrix_power | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-003](./advisory/pdsa-2023-003.md) | Heap buffer overflow in paddle.trace | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-002](./advisory/pdsa-2023-002.md) | Null pointer dereference in paddle.flip | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2023-001](./advisory/pdsa-2023-001.md) | Use after free in paddle.diagonal | < 2.5.0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | -| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | +| アドバイザリー番号 | タイプ | 対象バージョン | 報告者 | 追加情報 | +|----------------------------------------------|------------------------------------------------------|:-----------:|-----------------------------------------------------------------|------| +| [PDSA-2023-023](./advisory/pdsa-2023-023.md) | Command injection in convert_shape_compare | < 2.6.0 | leeya_bug | | +| [PDSA-2023-022](./advisory/pdsa-2023-022.md) | FPE in paddle.argmin and paddle.argmax | < 2.6.0 | Peng Zhou (zpbrent) from Shanghai University | | +| [PDSA-2023-021](./advisory/pdsa-2023-021.md) | Null pointer dereference in paddle.crop | < 2.6.0 | Peng Zhou (zpbrent) from Shanghai University | | +| [PDSA-2023-020](./advisory/pdsa-2023-020.md) | Command injection in _wget_download | < 2.6.0 | huntr.com | | +| [PDSA-2023-019](./advisory/pdsa-2023-019.md) | Command injection in get_online_pass_interval | < 2.6.0 | huntr.com | | +| [PDSA-2023-018](./advisory/pdsa-2023-018.md) | Heap buffer overflow in paddle.repeat_interleave | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-017](./advisory/pdsa-2023-017.md) | FPE in paddle.amin | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-016](./advisory/pdsa-2023-016.md) | Stack overflow in paddle.linalg.lu_unpack | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-015](./advisory/pdsa-2023-015.md) | FPE in paddle.lerp | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-014](./advisory/pdsa-2023-014.md) | FPE in paddle.topk | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-013](./advisory/pdsa-2023-013.md) | Stack overflow in paddle.searchsorted | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-012](./advisory/pdsa-2023-012.md) | Segfault in paddle.put_along_axis | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-011](./advisory/pdsa-2023-011.md) | Null pointer dereference in paddle.nextafter | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-010](./advisory/pdsa-2023-010.md) | Segfault in paddle.mode | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-009](./advisory/pdsa-2023-009.md) | FPE in paddle.linalg.eig | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-008](./advisory/pdsa-2023-008.md) | Segfault in paddle.dot | < 2.6.0 | Tong Liu of CAS-IIE | | +| [PDSA-2023-007](./advisory/pdsa-2023-007.md) | FPE in paddle.linalg.matrix_rank | < 2.6.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-006](./advisory/pdsa-2023-006.md) | FPE in paddle.nanmedian | < 2.6.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-005](./advisory/pdsa-2023-005.md) | Command injection in fs.py | < 2.5.0 | Xiaochen Guo from Huazhong University of Science and Technology | | +| [PDSA-2023-004](./advisory/pdsa-2023-004.md) | FPE in paddle.linalg.matrix_power | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-003](./advisory/pdsa-2023-003.md) | Heap buffer overflow in paddle.trace | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-002](./advisory/pdsa-2023-002.md) | Null pointer dereference in paddle.flip | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-001](./advisory/pdsa-2023-001.md) | Use after free in paddle.diagonal | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | diff --git a/security/advisory/pdsa-2023-004_cn.md b/security/advisory/pdsa-2023-004_cn.md index c31c4da4f8728..11f22a45aca11 100644 --- a/security/advisory/pdsa-2023-004_cn.md +++ b/security/advisory/pdsa-2023-004_cn.md @@ -6,7 +6,7 @@ CVE-2023-38672 ### 影响 -当张量包含纬度值为0的情况,`paddle.linalg.matrix_power`会触发除0异常,导致程序运行时崩溃,PoC代码如下: +当张量包含维度值为0的情况,`paddle.linalg.matrix_power`会触发除0异常,导致程序运行时崩溃,PoC代码如下: ```python import paddle diff --git a/security/advisory/pdsa-2023-006.md b/security/advisory/pdsa-2023-006.md new file mode 100644 index 0000000000000..4997760cd5000 --- /dev/null +++ b/security/advisory/pdsa-2023-006.md @@ -0,0 +1,31 @@ +## PDSA-2023-006: FPE in paddle.nanmedian + +### CVE Number + +CVE-2023-38674 + +### Impact + +When `x` dim calculates `stride` to 0, `paddle.nanmedian` triggers FPE by `numel / stride`. The PoC is as follows: + +```python +import paddle +import numpy as np + +x = np.random.uniform(0,0,[0,0,0,0,0]).astype(np.float32) +x = paddle.to_tensor(x) +paddle.nanmedian(x) +``` + +### Patches + +We have patched the issue in commit [9bb6c669206c4bcc3ce3f6daf8a55650e190c1a1](https://github.com/PaddlePaddle/Paddle/pull/55644/commits/9bb6c669206c4bcc3ce3f6daf8a55650e190c1a1). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of ShanghaiTech University. diff --git a/security/advisory/pdsa-2023-006_cn.md b/security/advisory/pdsa-2023-006_cn.md new file mode 100644 index 0000000000000..e8ac803c033d6 --- /dev/null +++ b/security/advisory/pdsa-2023-006_cn.md @@ -0,0 +1,31 @@ +## PDSA-2023-006: FPE in paddle.nanmedian + +### CVE编号 + +CVE-2023-38674 + +### 影响 + +当由`x`的dim计算的`stride`为0时,`paddle.nanmedian`会由`numel / stride`触发除0异常,PoC代码如下: + +```python +import paddle +import numpy as np + +x = np.random.uniform(0,0,[0,0,0,0,0]).astype(np.float32) +x = paddle.to_tensor(x) +paddle.nanmedian(x) +``` + +### 补丁 + +我们在commit [9bb6c669206c4bcc3ce3f6daf8a55650e190c1a1](https://github.com/PaddlePaddle/Paddle/pull/55644/commits/9bb6c669206c4bcc3ce3f6daf8a55650e190c1a1)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of ShanghaiTech University 提交。 diff --git a/security/advisory/pdsa-2023-007.md b/security/advisory/pdsa-2023-007.md new file mode 100644 index 0000000000000..f61223193cabf --- /dev/null +++ b/security/advisory/pdsa-2023-007.md @@ -0,0 +1,31 @@ +## PDSA-2023-007: FPE in paddle.linalg.matrix_rank + +### CVE Number + +CVE-2023-38675 + +### Impact + +When `x` dim calculates `rows` or `cols` to 0, `paddle.linalg.matrix_rank` triggers FPE by `numel / (rows * cols)`. The PoC is as follows: + +```python +import paddle +import numpy as np + +x = np.random.uniform(0,0,[0,0,0,0,0]).astype(np.float32) +x = paddle.to_tensor(x) +paddle.linalg.matrix_rank(x) +``` + +### Patches + +We have patched the issue in commit [9bb6c669206c4bcc3ce3f6daf8a55650e190c1a1](https://github.com/PaddlePaddle/Paddle/pull/55644/commits/9bb6c669206c4bcc3ce3f6daf8a55650e190c1a1). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of ShanghaiTech University. diff --git a/security/advisory/pdsa-2023-007_cn.md b/security/advisory/pdsa-2023-007_cn.md new file mode 100644 index 0000000000000..0572aa1767b36 --- /dev/null +++ b/security/advisory/pdsa-2023-007_cn.md @@ -0,0 +1,31 @@ +## PDSA-2023-007: FPE in paddle.linalg.matrix_rank + +### CVE编号 + +CVE-2023-38675 + +### 影响 + +当由`x`的dim计算的`rows`或者`cols`为0时,`paddle.linalg.matrix_rank`会由`numel / (rows * cols)`触发除0异常,PoC代码如下: + +```python +import paddle +import numpy as np + +x = np.random.uniform(0,0,[0,0,0,0,0]).astype(np.float32) +x = paddle.to_tensor(x) +paddle.linalg.matrix_rank(x) +``` + +### 补丁 + +我们在commit [9bb6c669206c4bcc3ce3f6daf8a55650e190c1a1](https://github.com/PaddlePaddle/Paddle/pull/55644/commits/9bb6c669206c4bcc3ce3f6daf8a55650e190c1a1)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of ShanghaiTech University 提交。 diff --git a/security/advisory/pdsa-2023-008.md b/security/advisory/pdsa-2023-008.md new file mode 100644 index 0000000000000..8994abd90fc23 --- /dev/null +++ b/security/advisory/pdsa-2023-008.md @@ -0,0 +1,31 @@ +## PDSA-2023-008: Segfault in paddle.dot + +### CVE Number + +CVE-2023-38676 + +### Impact + +Segfault occurs when `x` and `y` shape is 0 in `paddle.dot`. The PoC is as follows: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [0, 0]).astype(np.float32)) +y = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [0, 0]).astype(np.float32)) +paddle.dot(x, y) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-008_cn.md b/security/advisory/pdsa-2023-008_cn.md new file mode 100644 index 0000000000000..92052de2f3809 --- /dev/null +++ b/security/advisory/pdsa-2023-008_cn.md @@ -0,0 +1,31 @@ +## PDSA-2023-008: Segfault in paddle.dot + +### CVE编号 + +CVE-2023-38676 + +### 影响 + +在`paddle.dot`中当`x`和`y`的shape为0时,将造成segfault,PoC代码如下: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [0, 0]).astype(np.float32)) +y = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [0, 0]).astype(np.float32)) +paddle.dot(x, y) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-009.md b/security/advisory/pdsa-2023-009.md new file mode 100644 index 0000000000000..2f0450f9eb4e3 --- /dev/null +++ b/security/advisory/pdsa-2023-009.md @@ -0,0 +1,31 @@ +## PDSA-2023-009: FPE in paddle.linalg.eig + +### CVE Number + +CVE-2023-38677 + +### Impact + +When tensor dims contain 0, `paddle.linalg.eig` will trigger a float point exception. The PoC is as follows: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [3, 6, 0, 2, 2]).astype(np.float32)) + +paddle.linalg.eig(x) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-009_cn.md b/security/advisory/pdsa-2023-009_cn.md new file mode 100644 index 0000000000000..a212a2320c890 --- /dev/null +++ b/security/advisory/pdsa-2023-009_cn.md @@ -0,0 +1,31 @@ +## PDSA-2023-009: FPE in paddle.linalg.eig + +### CVE编号 + +CVE-2023-38677 + +### 影响 + +当张量包含维度值为0的情况,`paddle.linalg.eig`会触发除0异常,PoC代码如下: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [3, 6, 0, 2, 2]).astype(np.float32)) + +paddle.linalg.eig(x) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-010.md b/security/advisory/pdsa-2023-010.md new file mode 100644 index 0000000000000..3f1c65f6c91c4 --- /dev/null +++ b/security/advisory/pdsa-2023-010.md @@ -0,0 +1,33 @@ +## PDSA-2023-010: Segfault in paddle.mode + +### CVE Number + +CVE-2023-38678 + +### Impact + +Invalid `axis` and `dim_size` may cause `paddle.mode` segfault . The PoC is as follows: + +```python +import paddle +import numpy as np + +paddle.mode( + x=paddle.to_tensor(np.random.uniform(-6666666, 100000000, []).astype(np.float64)), + axis=paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, []).astype(np.int32)), + keepdim=True +) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-010_cn.md b/security/advisory/pdsa-2023-010_cn.md new file mode 100644 index 0000000000000..f72cd8af85636 --- /dev/null +++ b/security/advisory/pdsa-2023-010_cn.md @@ -0,0 +1,33 @@ +## PDSA-2023-010: Segfault in paddle.mode + +### CVE编号 + +CVE-2023-38678 + +### 影响 + +接收异常的`axis`和`dim_size`可能会造成`paddle.mode`发生segfault,PoC代码如下: + +```python +import paddle +import numpy as np + +paddle.mode( + x=paddle.to_tensor(np.random.uniform(-6666666, 100000000, []).astype(np.float64)), + axis=paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, []).astype(np.int32)), + keepdim=True +) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-011.md b/security/advisory/pdsa-2023-011.md new file mode 100644 index 0000000000000..da7985dede7d0 --- /dev/null +++ b/security/advisory/pdsa-2023-011.md @@ -0,0 +1,32 @@ +## PDSA-2023-011: Null pointer dereference in paddle.nextafter + +### CVE Number + +CVE-2023-52302 + +### Impact + +Null pointer dereference in `paddle.nextafter` when tensor dims are invalid . The PoC is as follows: + +```python +import paddle +import numpy as np + +paddle.nextafter( + x=paddle.to_tensor(np.random.uniform(-6666666, 100000000, [1, 2]).astype(np.float32)), + y=paddle.to_tensor(np.random.uniform(-6666666, 100000000, [0, 0, 0, 0, 0]).astype(np.float32)) +) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-011_cn.md b/security/advisory/pdsa-2023-011_cn.md new file mode 100644 index 0000000000000..71440ac2c5d9a --- /dev/null +++ b/security/advisory/pdsa-2023-011_cn.md @@ -0,0 +1,32 @@ +## PDSA-2023-011: Null pointer dereference in paddle.nextafter + +### CVE编号 + +CVE-2023-52302 + +### 影响 + +输入张量的维度异常时,`paddle.nextafter`会引发空指针解引用,PoC代码如下: + +```python +import paddle +import numpy as np + +paddle.nextafter( + x=paddle.to_tensor(np.random.uniform(-6666666, 100000000, [1, 2]).astype(np.float32)), + y=paddle.to_tensor(np.random.uniform(-6666666, 100000000, [0, 0, 0, 0, 0]).astype(np.float32)) +) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-012.md b/security/advisory/pdsa-2023-012.md new file mode 100644 index 0000000000000..f659d35615447 --- /dev/null +++ b/security/advisory/pdsa-2023-012.md @@ -0,0 +1,35 @@ +## PDSA-2023-012: Segfault in paddle.put_along_axis + +### CVE Number + +CVE-2023-52303 + +### Impact + +Segfault in `paddle.put_along_axis` when tensor dims are invalid . The PoC is as follows: + +```python +import paddle +import numpy as np + +paddle.put_along_axis( + arr=paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, [1]).astype(np.int32)), + indices=paddle.to_tensor(np.random.uniform(-9223372036854775808, 9223372036854775807, [1]).astype(np.int64)), + values=paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, []).astype(np.int32)), + axis=0, + reduce="assign" +) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-012_cn.md b/security/advisory/pdsa-2023-012_cn.md new file mode 100644 index 0000000000000..234961cded235 --- /dev/null +++ b/security/advisory/pdsa-2023-012_cn.md @@ -0,0 +1,35 @@ +## PDSA-2023-012: Segfault in paddle.put_along_axis + +### CVE编号 + +CVE-2023-52303 + +### 影响 + +输入张量的维度异常时,`paddle.put_along_axis`会引发segfault,PoC代码如下: + +```python +import paddle +import numpy as np + +paddle.put_along_axis( + arr=paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, [1]).astype(np.int32)), + indices=paddle.to_tensor(np.random.uniform(-9223372036854775808, 9223372036854775807, [1]).astype(np.int64)), + values=paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, []).astype(np.int32)), + axis=0, + reduce="assign" +) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-013.md b/security/advisory/pdsa-2023-013.md new file mode 100644 index 0000000000000..53deab6f3c346 --- /dev/null +++ b/security/advisory/pdsa-2023-013.md @@ -0,0 +1,32 @@ +## PDSA-2023-013: Stack overflow in paddle.searchsorted + +### CVE Number + +CVE-2023-52304 + +### Impact + +Invalid shapes cuase stack buffer overflow in `paddle.searchsorted`. The PoC is as follows: + +```python +import paddle +import numpy as np + +sorted_sequence = paddle.to_tensor(np.array(0)) +values = paddle.to_tensor(np.random.uniform(-10, 10, []).astype(np.float64)) + +paddle.searchsorted(sorted_sequence, values, out_int32=True, right=True) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-013_cn.md b/security/advisory/pdsa-2023-013_cn.md new file mode 100644 index 0000000000000..c5210242f651f --- /dev/null +++ b/security/advisory/pdsa-2023-013_cn.md @@ -0,0 +1,32 @@ +## PDSA-2023-013: Stack overflow in paddle.searchsorted + +### CVE编号 + +CVE-2023-52304 + +### 影响 + +不正确的shapes会引发`paddle.searchsorted`栈溢出,PoC代码如下: + +```python +import paddle +import numpy as np + +sorted_sequence = paddle.to_tensor(np.array(0)) +values = paddle.to_tensor(np.random.uniform(-10, 10, []).astype(np.float64)) + +paddle.searchsorted(sorted_sequence, values, out_int32=True, right=True) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-014.md b/security/advisory/pdsa-2023-014.md new file mode 100644 index 0000000000000..1792f3b21e8fa --- /dev/null +++ b/security/advisory/pdsa-2023-014.md @@ -0,0 +1,32 @@ +## PDSA-2023-014: FPE in paddle.topk + +### CVE Number + +CVE-2023-52305 + +### Impact + +FPE in `paddle.topk` when `x` and `k` dims not correct. The PoC is as follows: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [6, 2, 1, 4, 2, 0]).astype(np.float64)) +k = paddle.to_tensor(np.array(1).astype(np.int32)) + +paddle.topk(x, k, axis=2,largest=False, sorted=True) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-014_cn.md b/security/advisory/pdsa-2023-014_cn.md new file mode 100644 index 0000000000000..d1be63be148d2 --- /dev/null +++ b/security/advisory/pdsa-2023-014_cn.md @@ -0,0 +1,32 @@ +## PDSA-2023-014: FPE in paddle.topk + +### CVE编号 + +CVE-2023-52305 + +### 影响 + +当`x`和`k`的dims不符合要求时,可能导致`paddle.topk`除0异常,PoC代码如下: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [6, 2, 1, 4, 2, 0]).astype(np.float64)) +k = paddle.to_tensor(np.array(1).astype(np.int32)) + +paddle.topk(x, k, axis=2,largest=False, sorted=True) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-015.md b/security/advisory/pdsa-2023-015.md new file mode 100644 index 0000000000000..6830516e0505b --- /dev/null +++ b/security/advisory/pdsa-2023-015.md @@ -0,0 +1,33 @@ +## PDSA-2023-015: FPE in paddle.lerp + +### CVE Number + +CVE-2023-52306 + +### Impact + +FPE in `paddle.lerp` when tensor shape is invalid. The PoC is as follows: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, []).astype(np.float64)) +y = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [4, 0, 0, 2, 6]).astype(np.float64)) +weight = paddle.to_tensor(np.random.uniform(-6666666, 100000000, []).astype(np.float64)) + +paddle.lerp(x, y, weight) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-015_cn.md b/security/advisory/pdsa-2023-015_cn.md new file mode 100644 index 0000000000000..7daa17bfff490 --- /dev/null +++ b/security/advisory/pdsa-2023-015_cn.md @@ -0,0 +1,33 @@ +## PDSA-2023-015: FPE in paddle.lerp + +### CVE编号 + +CVE-2023-52306 + +### 影响 + +不合法的张量shape可能导致`paddle.lerp`除0异常,PoC代码如下: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, []).astype(np.float64)) +y = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [4, 0, 0, 2, 6]).astype(np.float64)) +weight = paddle.to_tensor(np.random.uniform(-6666666, 100000000, []).astype(np.float64)) + +paddle.lerp(x, y, weight) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-016.md b/security/advisory/pdsa-2023-016.md new file mode 100644 index 0000000000000..2c6e93e3f8771 --- /dev/null +++ b/security/advisory/pdsa-2023-016.md @@ -0,0 +1,32 @@ +## PDSA-2023-016: Stack overflow in paddle.linalg.lu_unpack + +### CVE Number + +CVE-2023-52307 + +### Impact + +Invalid shapes cuase stack buffer overflow in `paddle.linalg.lu_unpack`. The PoC is as follows: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [1, 6, 4, 8, 2]).astype(np.float32)) +y = paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, []).astype(np.int32)) + +paddle.linalg.lu_unpack(x, y, True, True) +``` + +### Patches + +We have patched the issue in commit [10093636a10f29f73f13729b33570d8cafd58fb6](https://github.com/PaddlePaddle/Paddle/pull/56311/commits/10093636a10f29f73f13729b33570d8cafd58fb6). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-016_cn.md b/security/advisory/pdsa-2023-016_cn.md new file mode 100644 index 0000000000000..cdad03e02dce4 --- /dev/null +++ b/security/advisory/pdsa-2023-016_cn.md @@ -0,0 +1,32 @@ +## PDSA-2023-016: Stack overflow in paddle.linalg.lu_unpack + +### CVE编号 + +CVE-2023-52307 + +### 影响 + +不正确的shapes会引发`paddle.linalg.lu_unpack`栈溢出,PoC代码如下: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [1, 6, 4, 8, 2]).astype(np.float32)) +y = paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, []).astype(np.int32)) + +paddle.linalg.lu_unpack(x, y, True, True) +``` + +### 补丁 + +我们在commit [10093636a10f29f73f13729b33570d8cafd58fb6](https://github.com/PaddlePaddle/Paddle/pull/56311/commits/10093636a10f29f73f13729b33570d8cafd58fb6)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-017.md b/security/advisory/pdsa-2023-017.md new file mode 100644 index 0000000000000..2d65947f7be85 --- /dev/null +++ b/security/advisory/pdsa-2023-017.md @@ -0,0 +1,33 @@ +## PDSA-2023-017: FPE in paddle.amin + +### CVE Number + +CVE-2023-52308 + +### Impact + +FPE in `paddle.amin` when `x` has invalid dims. The PoC is as follows: + +```python +import paddle +import numpy as np + +paddle.amin( + x=paddle.to_tensor(np.random.uniform(-6666666, 100000000, [0, 0, 6, 3]).astype(np.float32)), + axis=-1, + keepdim=True +) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-017_cn.md b/security/advisory/pdsa-2023-017_cn.md new file mode 100644 index 0000000000000..ac04896e1ffeb --- /dev/null +++ b/security/advisory/pdsa-2023-017_cn.md @@ -0,0 +1,33 @@ +## PDSA-2023-017: FPE in paddle.amin + +### CVE编号 + +CVE-2023-52308 + +### 影响 + +当`x` dims不符合要求时,可能导致`paddle.amin`除0异常,PoC代码如下: + +```python +import paddle +import numpy as np + +paddle.amin( + x=paddle.to_tensor(np.random.uniform(-6666666, 100000000, [0, 0, 6, 3]).astype(np.float32)), + axis=-1, + keepdim=True +) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-018.md b/security/advisory/pdsa-2023-018.md new file mode 100644 index 0000000000000..6dbec29738b2f --- /dev/null +++ b/security/advisory/pdsa-2023-018.md @@ -0,0 +1,32 @@ +## PDSA-2023-018: Heap buffer overflow in paddle.repeat_interleave + +### CVE Number + +CVE-2023-52309 + +### Impact + +Heap buffer overflow in `paddle.repeat_interleave` by using invalid params. The PoC is as follows: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [4, 4, 8, 3, 2, 4]).astype(np.float64)) +repeats = paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, [2, 1]).astype(np.int32)) + +paddle.repeat_interleave(x, repeats, axis=-2) +``` + +### Patches + +We have patched the issue in commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of CAS-IIE. diff --git a/security/advisory/pdsa-2023-018_cn.md b/security/advisory/pdsa-2023-018_cn.md new file mode 100644 index 0000000000000..9680099b47d83 --- /dev/null +++ b/security/advisory/pdsa-2023-018_cn.md @@ -0,0 +1,32 @@ +## PDSA-2023-018: Heap buffer overflow in paddle.repeat_interleave + +### CVE编号 + +CVE-2023-52309 + +### 影响 + +非法的参数可能导致`paddle.repeat_interleave`堆溢出,PoC代码如下: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(-6666666, 100000000, [4, 4, 8, 3, 2, 4]).astype(np.float64)) +repeats = paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, [2, 1]).astype(np.int32)) + +paddle.repeat_interleave(x, repeats, axis=-2) +``` + +### 补丁 + +我们在commit [19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc](https://github.com/PaddlePaddle/Paddle/commit/19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of CAS-IIE 提交。 diff --git a/security/advisory/pdsa-2023-019.md b/security/advisory/pdsa-2023-019.md new file mode 100644 index 0000000000000..c496895190bc8 --- /dev/null +++ b/security/advisory/pdsa-2023-019.md @@ -0,0 +1,35 @@ +## PDSA-2023-019: Command injection in get_online_pass_interval + +### CVE Number + +CVE-2023-52310 + +### Impact + +Command injection in `get_online_pass_interval` which could lead to execute arbitrary commands. The PoC is as follows: + +```python +from paddle.incubate.distributed.fleet.fleet_util import FleetUtil + +fleet_util = FleetUtil() +online_pass_interval = fleet_util.get_online_pass_interval( + days="{20190720..20190729}", + hours="9;touch /home/test/aaaa", + split_interval=5, + split_per_pass=2, + is_data_hourly_placed=False +) +``` + +### Patches + +We have patched the issue in commit [1aae481dfd7d2055c801563e254f1484b974b68e](https://github.com/PaddlePaddle/Paddle/pull/60023/commits/1aae481dfd7d2055c801563e254f1484b974b68e). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by huntr.com. diff --git a/security/advisory/pdsa-2023-019_cn.md b/security/advisory/pdsa-2023-019_cn.md new file mode 100644 index 0000000000000..8bab64810ad41 --- /dev/null +++ b/security/advisory/pdsa-2023-019_cn.md @@ -0,0 +1,35 @@ +## PDSA-2023-019: Command injection in get_online_pass_interval + +### CVE编号 + +CVE-2023-52310 + +### 影响 + +`get_online_pass_interval`存在命令注入漏洞,可造成任意命令执行,PoC代码如下: + +```python +from paddle.incubate.distributed.fleet.fleet_util import FleetUtil + +fleet_util = FleetUtil() +online_pass_interval = fleet_util.get_online_pass_interval( + days="{20190720..20190729}", + hours="9;touch /home/test/aaaa", + split_interval=5, + split_per_pass=2, + is_data_hourly_placed=False +) +``` + +### 补丁 + +我们在commit [1aae481dfd7d2055c801563e254f1484b974b68e](https://github.com/PaddlePaddle/Paddle/pull/60023/commits/1aae481dfd7d2055c801563e254f1484b974b68e)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 huntr.com 提交。 diff --git a/security/advisory/pdsa-2023-020.md b/security/advisory/pdsa-2023-020.md new file mode 100644 index 0000000000000..ed3a5966d6ca6 --- /dev/null +++ b/security/advisory/pdsa-2023-020.md @@ -0,0 +1,28 @@ +## PDSA-2023-020: Command injection in _wget_download + +### CVE Number + +CVE-2023-52311 + +### Impact + +Command injection in `_wget_download` which could lead to execute arbitrary commands. The PoC is as follows: + +```python +from paddle import utils + +utils.download._wget_download("aa; touch codexecution", "bb") +``` + +### Patches + +We have patched the issue in commit [d5550d3f2f5bab48c783b4986ba1cd8e061ce542](https://github.com/PaddlePaddle/Paddle/pull/59957/commits/d5550d3f2f5bab48c783b4986ba1cd8e061ce542). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by huntr.com. diff --git a/security/advisory/pdsa-2023-020_cn.md b/security/advisory/pdsa-2023-020_cn.md new file mode 100644 index 0000000000000..a6bd1321592e6 --- /dev/null +++ b/security/advisory/pdsa-2023-020_cn.md @@ -0,0 +1,28 @@ +## PDSA-2023-020: Command injection in _wget_download + +### CVE编号 + +CVE-2023-52311 + +### 影响 + +`_wget_download`存在命令注入漏洞,可造成任意命令执行,PoC代码如下: + +```python +from paddle import utils + +utils.download._wget_download("aa; touch codexecution", "bb") +``` + +### 补丁 + +我们在commit [d5550d3f2f5bab48c783b4986ba1cd8e061ce542](https://github.com/PaddlePaddle/Paddle/pull/59957/commits/d5550d3f2f5bab48c783b4986ba1cd8e061ce542)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 huntr.com 提交。 diff --git a/security/advisory/pdsa-2023-021.md b/security/advisory/pdsa-2023-021.md new file mode 100644 index 0000000000000..6a8ec45b33e23 --- /dev/null +++ b/security/advisory/pdsa-2023-021.md @@ -0,0 +1,33 @@ +## PDSA-2023-021: Null pointer dereference in paddle.crop + +### CVE Number + +CVE-2023-52312 + +### Impact + +Null pointer dereference in `paddle.crop` when tensor dims are invalid . The PoC is as follows: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(0, 10, [2, 2]).astype(np.int32)) +shape = paddle.to_tensor([-1, 0], dtype='int32') +offsets = paddle.to_tensor([], dtype='int32') + +out = paddle.crop(x, shape, offsets) +``` + +### Patches + +We have patched the issue in commit [c074de6911944d5d30d28cc7ce2c7099f1c87bce](https://github.com/PaddlePaddle/Paddle/pull/59967/commits/c074de6911944d5d30d28cc7ce2c7099f1c87bce). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Peng Zhou (zpbrent) from Shanghai University. diff --git a/security/advisory/pdsa-2023-021_cn.md b/security/advisory/pdsa-2023-021_cn.md new file mode 100644 index 0000000000000..eff0b0c2225aa --- /dev/null +++ b/security/advisory/pdsa-2023-021_cn.md @@ -0,0 +1,33 @@ +## PDSA-2023-021: Null pointer dereference in paddle.crop + +### CVE编号 + +CVE-2023-52312 + +### 影响 + +输入张量的维度异常时,`paddle.crop`会引发空指针解引用,PoC代码如下: + +```python +import paddle +import numpy as np + +x = paddle.to_tensor(np.random.uniform(0, 10, [2, 2]).astype(np.int32)) +shape = paddle.to_tensor([-1, 0], dtype='int32') +offsets = paddle.to_tensor([], dtype='int32') + +out = paddle.crop(x, shape, offsets) +``` + +### 补丁 + +我们在commit [c074de6911944d5d30d28cc7ce2c7099f1c87bce](https://github.com/PaddlePaddle/Paddle/pull/59967/commits/c074de6911944d5d30d28cc7ce2c7099f1c87bce)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Peng Zhou (zpbrent) from Shanghai University 提交。 diff --git a/security/advisory/pdsa-2023-022.md b/security/advisory/pdsa-2023-022.md new file mode 100644 index 0000000000000..b5b3b3519c9c0 --- /dev/null +++ b/security/advisory/pdsa-2023-022.md @@ -0,0 +1,30 @@ +## PDSA-2023-022: FPE in paddle.argmin and paddle.argmax + +### CVE Number + +CVE-2023-52313 + +### Impact + +FPE in `paddle.argmin` and `paddle.argmax` when input `x.numel()` is 0. The PoC is as follows: + +```python +import paddle + +data = paddle.to_tensor([], dtype="int32") + +paddle.argmax(data, axis=0) +``` + +### Patches + +We have patched the issue in commit [41eda9080b12e6f1b3a49cdc8439a1b9f1ed6794](https://github.com/PaddlePaddle/Paddle/pull/59976/commits/41eda9080b12e6f1b3a49cdc8439a1b9f1ed6794). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Peng Zhou (zpbrent) from Shanghai University. diff --git a/security/advisory/pdsa-2023-022_cn.md b/security/advisory/pdsa-2023-022_cn.md new file mode 100644 index 0000000000000..d7c57f9439495 --- /dev/null +++ b/security/advisory/pdsa-2023-022_cn.md @@ -0,0 +1,30 @@ +## PDSA-2023-022: FPE in paddle.argmin and paddle.argmax + +### CVE编号 + +CVE-2023-52313 + +### 影响 + +输入`x.numel()`为0时`paddle.argmin`和`paddle.argmax`会引发除0异常,PoC代码如下: + +```python +import paddle + +data = paddle.to_tensor([], dtype="int32") + +paddle.argmax(data, axis=0) +``` + +### 补丁 + +我们在commit [41eda9080b12e6f1b3a49cdc8439a1b9f1ed6794](https://github.com/PaddlePaddle/Paddle/pull/59976/commits/41eda9080b12e6f1b3a49cdc8439a1b9f1ed6794)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Peng Zhou (zpbrent) from Shanghai University 提交。 diff --git a/security/advisory/pdsa-2023-023.md b/security/advisory/pdsa-2023-023.md new file mode 100644 index 0000000000000..c2671f7f87adc --- /dev/null +++ b/security/advisory/pdsa-2023-023.md @@ -0,0 +1,28 @@ +## PDSA-2023-023: Command injection in convert_shape_compare + +### CVE Number + +CVE-2023-52314 + +### Impact + +Command injection in `convert_shape_compare` which could lead to execute arbitrary commands. The PoC is as follows: + +```python +import paddle + +paddle.jit.dy2static.convert_operators.convert_shape_compare('prefix','+ str(__import__("os").system("cat /etc/passwd")) +','1') +``` + +### Patches + +We have patched the issue in commit [c3b6414eb313480f1417abe92d410dfe89723097](https://github.com/PaddlePaddle/Paddle/pull/60097/commits/c3b6414eb313480f1417abe92d410dfe89723097). +The fix will be included in PaddlePaddle 2.6.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by leeya_bug. diff --git a/security/advisory/pdsa-2023-023_cn.md b/security/advisory/pdsa-2023-023_cn.md new file mode 100644 index 0000000000000..3de87a4d70767 --- /dev/null +++ b/security/advisory/pdsa-2023-023_cn.md @@ -0,0 +1,28 @@ +## PDSA-2023-023: Command injection in convert_shape_compare + +### CVE编号 + +CVE-2023-52314 + +### 影响 + +`convert_shape_compare`存在命令注入漏洞,可造成任意命令执行,PoC代码如下: + +```python +import paddle + +paddle.jit.dy2static.convert_operators.convert_shape_compare('prefix','+ str(__import__("os").system("cat /etc/passwd")) +','1') +``` + +### 补丁 + +我们在commit [c3b6414eb313480f1417abe92d410dfe89723097](https://github.com/PaddlePaddle/Paddle/pull/60097/commits/c3b6414eb313480f1417abe92d410dfe89723097)中对此问题进行了补丁。 +修复将包含在飞桨2.6.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 leeya_bug 提交。