未验证 提交 23c05f2f 编写于 作者: V Vigi Zhang 提交者: GitHub

add pdsa-2022-002 (#47486) (#47526)

上级 5ffd4afe
...@@ -10,3 +10,4 @@ We regularly publish security advisories about using PaddlePaddle. ...@@ -10,3 +10,4 @@ We regularly publish security advisories about using PaddlePaddle.
| Advisory Number | Type | Versions affected | Reported by | Additional Information | | Advisory Number | Type | Versions affected | Reported by | Additional Information |
|----------------------------------------------|-------------------------|:-----------------:|---------------------------------------|------------------------| |----------------------------------------------|-------------------------|:-----------------:|---------------------------------------|------------------------|
| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | | [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | |
| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | |
...@@ -7,6 +7,7 @@ ...@@ -7,6 +7,7 @@
注:我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](../SECURITY_cn.md)所介绍的飞桨安全模型,以便更好地了解此安全公告。 注:我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](../SECURITY_cn.md)所介绍的飞桨安全模型,以便更好地了解此安全公告。
| 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 | | 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 |
|-------------------------------------------------|-------------------------|:-----:|---------------------------------------| ----------------------| |-------------------------------------------------|-------------------------|:-----:|---------------------------------------|-----|
| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | | [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | |
| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | |
## PDSA-2022-002: Code injection in paddle.audio.functional.get_window
### Impact
`paddle.audio.functional.get_windowis` vulnerable to a code injection as it calls `eval` on user supplied `winstr`. This may lead to arbitrary code execution.
```python
def get_window(
window: Union[str, Tuple[str, float]],
win_length: int,
fftbins: bool = True,
dtype: str = 'float64',
) -> Tensor:
...
try:
winfunc = eval('_' + winstr)
except NameError as e:
raise ValueError("Unknown window type.") from e
```
### Patches
We have patched the issue in commit [26c419ca386aeae3c461faf2b828d00b48e908eb](https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb).
The fix will be included in PaddlePaddle 2.4.
### For more information
Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
### Attribution
This vulnerability has been reported by Tong Liu of ShanghaiTech University.
## PDSA-2022-002: Code injection in paddle.audio.functional.get_window
### 影响
`paddle.audio.functional.get_window`由于使用`eval`用户提供的参数`winstr`而存在代码注入漏洞,将导致任意代码执行。
```python
def get_window(
window: Union[str, Tuple[str, float]],
win_length: int,
fftbins: bool = True,
dtype: str = 'float64',
) -> Tensor:
...
try:
winfunc = eval('_' + winstr)
except NameError as e:
raise ValueError("Unknown window type.") from e
```
### 补丁
我们在commit [26c419ca386aeae3c461faf2b828d00b48e908eb](https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb)中对此问题进行了补丁。
修复将包含在飞桨2.4版本当中。
### 更多信息
请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。
### 贡献者
此漏洞由 Tong Liu of ShanghaiTech University 提交。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册