From 23c05f2f0c8991950c3f011a5ad626f05ec486e3 Mon Sep 17 00:00:00 2001 From: Vigi Zhang Date: Tue, 1 Nov 2022 15:52:06 +0800 Subject: [PATCH] add pdsa-2022-002 (#47486) (#47526) --- security/README.md | 1 + security/README_cn.md | 7 +++--- security/advisory/pdsa-2022-002.md | 33 +++++++++++++++++++++++++++ security/advisory/pdsa-2022-002_cn.md | 33 +++++++++++++++++++++++++++ 4 files changed, 71 insertions(+), 3 deletions(-) create mode 100644 security/advisory/pdsa-2022-002.md create mode 100644 security/advisory/pdsa-2022-002_cn.md diff --git a/security/README.md b/security/README.md index cb01299927f..eefde5344eb 100644 --- a/security/README.md +++ b/security/README.md @@ -10,3 +10,4 @@ We regularly publish security advisories about using PaddlePaddle. | Advisory Number | Type | Versions affected | Reported by | Additional Information | |----------------------------------------------|-------------------------|:-----------------:|---------------------------------------|------------------------| | [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | +| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | diff --git a/security/README_cn.md b/security/README_cn.md index 57669ba01d7..1beba5c1fa7 100644 --- a/security/README_cn.md +++ b/security/README_cn.md @@ -7,6 +7,7 @@ 注:我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](../SECURITY_cn.md)所介绍的飞桨安全模型,以便更好地了解此安全公告。 -| 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 | -|-------------------------------------------------|-------------------------|:-----:|---------------------------------------| ----------------------| -| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | +| 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 | +|-------------------------------------------------|-------------------------|:-----:|---------------------------------------|-----| +| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | +| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | diff --git a/security/advisory/pdsa-2022-002.md b/security/advisory/pdsa-2022-002.md new file mode 100644 index 00000000000..efb8e931722 --- /dev/null +++ b/security/advisory/pdsa-2022-002.md @@ -0,0 +1,33 @@ +## PDSA-2022-002: Code injection in paddle.audio.functional.get_window + +### Impact + +`paddle.audio.functional.get_windowis` vulnerable to a code injection as it calls `eval` on user supplied `winstr`. This may lead to arbitrary code execution. + +```python +def get_window( + window: Union[str, Tuple[str, float]], + win_length: int, + fftbins: bool = True, + dtype: str = 'float64', +) -> Tensor: + ... + try: + winfunc = eval('_' + winstr) + except NameError as e: + raise ValueError("Unknown window type.") from e +``` + +### Patches + +We have patched the issue in commit [26c419ca386aeae3c461faf2b828d00b48e908eb](https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb). + +The fix will be included in PaddlePaddle 2.4. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of ShanghaiTech University. diff --git a/security/advisory/pdsa-2022-002_cn.md b/security/advisory/pdsa-2022-002_cn.md new file mode 100644 index 00000000000..84fc365fbbc --- /dev/null +++ b/security/advisory/pdsa-2022-002_cn.md @@ -0,0 +1,33 @@ +## PDSA-2022-002: Code injection in paddle.audio.functional.get_window + +### 影响 + +`paddle.audio.functional.get_window`由于使用`eval`用户提供的参数`winstr`而存在代码注入漏洞,将导致任意代码执行。 + +```python +def get_window( + window: Union[str, Tuple[str, float]], + win_length: int, + fftbins: bool = True, + dtype: str = 'float64', +) -> Tensor: + ... + try: + winfunc = eval('_' + winstr) + except NameError as e: + raise ValueError("Unknown window type.") from e +``` + +### 补丁 + +我们在commit [26c419ca386aeae3c461faf2b828d00b48e908eb](https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb)中对此问题进行了补丁。 + +修复将包含在飞桨2.4版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of ShanghaiTech University 提交。 -- GitLab