From bfc45e34b306ef5581c63ed69352940c4fff4e4e Mon Sep 17 00:00:00 2001 From: Vigi Zhang Date: Tue, 1 Nov 2022 11:45:44 +0800 Subject: [PATCH] add pdsa-2022-002 (#47486) --- security/README.md | 1 + security/README_cn.md | 1 + security/advisory/pdsa-2022-002.md | 33 +++++++++++++++++++++++++++ security/advisory/pdsa-2022-002_cn.md | 33 +++++++++++++++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 security/advisory/pdsa-2022-002.md create mode 100644 security/advisory/pdsa-2022-002_cn.md diff --git a/security/README.md b/security/README.md index cb01299927..eefde5344e 100644 --- a/security/README.md +++ b/security/README.md @@ -10,3 +10,4 @@ We regularly publish security advisories about using PaddlePaddle. | Advisory Number | Type | Versions affected | Reported by | Additional Information | |----------------------------------------------|-------------------------|:-----------------:|---------------------------------------|------------------------| | [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | +| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | diff --git a/security/README_cn.md b/security/README_cn.md index a91f5ce459..1beba5c1fa 100644 --- a/security/README_cn.md +++ b/security/README_cn.md @@ -10,3 +10,4 @@ | 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 | |-------------------------------------------------|-------------------------|:-----:|---------------------------------------|-----| | [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | +| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | diff --git a/security/advisory/pdsa-2022-002.md b/security/advisory/pdsa-2022-002.md new file mode 100644 index 0000000000..efb8e93172 --- /dev/null +++ b/security/advisory/pdsa-2022-002.md @@ -0,0 +1,33 @@ +## PDSA-2022-002: Code injection in paddle.audio.functional.get_window + +### Impact + +`paddle.audio.functional.get_windowis` vulnerable to a code injection as it calls `eval` on user supplied `winstr`. This may lead to arbitrary code execution. + +```python +def get_window( + window: Union[str, Tuple[str, float]], + win_length: int, + fftbins: bool = True, + dtype: str = 'float64', +) -> Tensor: + ... + try: + winfunc = eval('_' + winstr) + except NameError as e: + raise ValueError("Unknown window type.") from e +``` + +### Patches + +We have patched the issue in commit [26c419ca386aeae3c461faf2b828d00b48e908eb](https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb). + +The fix will be included in PaddlePaddle 2.4. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of ShanghaiTech University. diff --git a/security/advisory/pdsa-2022-002_cn.md b/security/advisory/pdsa-2022-002_cn.md new file mode 100644 index 0000000000..84fc365fbb --- /dev/null +++ b/security/advisory/pdsa-2022-002_cn.md @@ -0,0 +1,33 @@ +## PDSA-2022-002: Code injection in paddle.audio.functional.get_window + +### 影响 + +`paddle.audio.functional.get_window`由于使用`eval`用户提供的参数`winstr`而存在代码注入漏洞,将导致任意代码执行。 + +```python +def get_window( + window: Union[str, Tuple[str, float]], + win_length: int, + fftbins: bool = True, + dtype: str = 'float64', +) -> Tensor: + ... + try: + winfunc = eval('_' + winstr) + except NameError as e: + raise ValueError("Unknown window type.") from e +``` + +### 补丁 + +我们在commit [26c419ca386aeae3c461faf2b828d00b48e908eb](https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb)中对此问题进行了补丁。 + +修复将包含在飞桨2.4版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of ShanghaiTech University 提交。 -- GitLab