From f9b9b8b68f8ae48e52aea1ea0215c94d76958229 Mon Sep 17 00:00:00 2001 From: Vigi Zhang Date: Wed, 26 Jul 2023 10:24:40 +0800 Subject: [PATCH] update security advisory, test=document_fix (#55690) --- security/README.md | 13 +++++++--- security/README_cn.md | 13 +++++++--- security/advisory/pdsa-2023-001.md | 35 +++++++++++++++++++++++++++ security/advisory/pdsa-2023-001_cn.md | 35 +++++++++++++++++++++++++++ security/advisory/pdsa-2023-002.md | 33 +++++++++++++++++++++++++ security/advisory/pdsa-2023-002_cn.md | 33 +++++++++++++++++++++++++ security/advisory/pdsa-2023-003.md | 35 +++++++++++++++++++++++++++ security/advisory/pdsa-2023-003_cn.md | 35 +++++++++++++++++++++++++++ security/advisory/pdsa-2023-004.md | 32 ++++++++++++++++++++++++ security/advisory/pdsa-2023-004_cn.md | 32 ++++++++++++++++++++++++ security/advisory/pdsa-2023-005.md | 29 ++++++++++++++++++++++ security/advisory/pdsa-2023-005_cn.md | 29 ++++++++++++++++++++++ 12 files changed, 346 insertions(+), 8 deletions(-) create mode 100644 security/advisory/pdsa-2023-001.md create mode 100644 security/advisory/pdsa-2023-001_cn.md create mode 100644 security/advisory/pdsa-2023-002.md create mode 100644 security/advisory/pdsa-2023-002_cn.md create mode 100644 security/advisory/pdsa-2023-003.md create mode 100644 security/advisory/pdsa-2023-003_cn.md create mode 100644 security/advisory/pdsa-2023-004.md create mode 100644 security/advisory/pdsa-2023-004_cn.md create mode 100644 security/advisory/pdsa-2023-005.md create mode 100644 security/advisory/pdsa-2023-005_cn.md diff --git a/security/README.md b/security/README.md index eefde5344eb..01559632d7d 100644 --- a/security/README.md +++ b/security/README.md @@ -7,7 +7,12 @@ We regularly publish security advisories about using PaddlePaddle. *Note*: In conjunction with these security advisories, we strongly encourage PaddlePaddle users to read and understand PaddlePaddle's security model as outlined in [SECURITY.md](../SECURITY.md). -| Advisory Number | Type | Versions affected | Reported by | Additional Information | -|----------------------------------------------|-------------------------|:-----------------:|---------------------------------------|------------------------| -| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | -| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | +| Advisory Number | Type | Versions affected | Reported by | Additional Information | +|----------------------------------------------|------------------------------------------------------|:-----------------:|------------------------------------------------------------------|------------------------| +| [PDSA-2023-005](./advisory/pdsa-2023-005.md) | Command injection in fs.py | < 2.5.0 | Xiaochen Guo from Huazhong University of Science and Technology | | +| [PDSA-2023-004](./advisory/pdsa-2023-004.md) | FPE in paddle.linalg.matrix_power | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-003](./advisory/pdsa-2023-003.md) | Heap buffer overflow in paddle.trace | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-002](./advisory/pdsa-2023-002.md) | Null pointer dereference in paddle.flip | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-001](./advisory/pdsa-2023-001.md) | Use after free in paddle.diagonal | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-002](./advisory/pdsa-2022-002.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | diff --git a/security/README_cn.md b/security/README_cn.md index 1beba5c1fa7..49223df8844 100644 --- a/security/README_cn.md +++ b/security/README_cn.md @@ -7,7 +7,12 @@ 注:我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](../SECURITY_cn.md)所介绍的飞桨安全模型,以便更好地了解此安全公告。 -| 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 | -|-------------------------------------------------|-------------------------|:-----:|---------------------------------------|-----| -| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | -| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | +| 安全公告编号 | 类型 | 受影响版本 | 报告者 | 备注 | +|-------------------------------------------------|------------------------------------------------------|:------------:|-----------------------------------------------------------------|----| +| [PDSA-2023-005](./advisory/pdsa-2023-005_cn.md) | Command injection in fs.py | < 2.5.0 | Xiaochen Guo from Huazhong University of Science and Technology | | +| [PDSA-2023-004](./advisory/pdsa-2023-004_cn.md) | FPE in paddle.linalg.matrix_power | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-003](./advisory/pdsa-2023-003_cn.md) | Heap buffer overflow in paddle.trace | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-002](./advisory/pdsa-2023-002_cn.md) | Null pointer dereference in paddle.flip | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2023-001](./advisory/pdsa-2023-001_cn.md) | Use after free in paddle.diagonal | < 2.5.0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-002](./advisory/pdsa-2022-002_cn.md) | Code injection in paddle.audio.functional.get_window | = 2.4.0-rc0 | Tong Liu of ShanghaiTech University | | +| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team | | diff --git a/security/advisory/pdsa-2023-001.md b/security/advisory/pdsa-2023-001.md new file mode 100644 index 00000000000..36873a5cf3b --- /dev/null +++ b/security/advisory/pdsa-2023-001.md @@ -0,0 +1,35 @@ +## PDSA-2023-001: Use after free in paddle.diagonal + +### CVE Number + +CVE-2023-38669 + +### Impact + +Use after free in `paddle.diagonal`. The PoC is as follows: + +```python +import paddle +import numpy as np +from paddle import diagonal + +x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 1, 1, 1]).astype(np.int64)) +offset = paddle.to_tensor(np.random.uniform(-10, 0, []).astype(np.int32)) +axis1 = paddle.to_tensor(np.random.uniform(-1000000, 0, []).astype(np.int32)) +axis2 = paddle.to_tensor(np.random.uniform(-10000000, 0, []).astype(np.int32)) + +diagonal(x, offset, axis1, axis2) +``` + +### Patches + +We have patched the issue in commit [43981874f5e1683b855eab871092fa9be58d6a44](https://github.com/PaddlePaddle/Paddle/commit/43981874f5e1683b855eab871092fa9be58d6a44). +The fix will be included in PaddlePaddle 2.5.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of ShanghaiTech University. diff --git a/security/advisory/pdsa-2023-001_cn.md b/security/advisory/pdsa-2023-001_cn.md new file mode 100644 index 00000000000..92633e310b0 --- /dev/null +++ b/security/advisory/pdsa-2023-001_cn.md @@ -0,0 +1,35 @@ +## PDSA-2023-001: Use after free in paddle.diagonal + +### CVE编号 + +CVE-2023-38669 + +### 影响 + +`paddle.diagonal`中存在use after free,PoC代码如下: + +```python +import paddle +import numpy as np +from paddle import diagonal + +x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 1, 1, 1]).astype(np.int64)) +offset = paddle.to_tensor(np.random.uniform(-10, 0, []).astype(np.int32)) +axis1 = paddle.to_tensor(np.random.uniform(-1000000, 0, []).astype(np.int32)) +axis2 = paddle.to_tensor(np.random.uniform(-10000000, 0, []).astype(np.int32)) + +diagonal(x, offset, axis1, axis2) +``` + +### 补丁 + +我们在commit [43981874f5e1683b855eab871092fa9be58d6a44](https://github.com/PaddlePaddle/Paddle/commit/43981874f5e1683b855eab871092fa9be58d6a44)中对此问题进行了补丁。 +修复将包含在飞桨2.5.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of ShanghaiTech University 提交。 diff --git a/security/advisory/pdsa-2023-002.md b/security/advisory/pdsa-2023-002.md new file mode 100644 index 00000000000..8390128e96c --- /dev/null +++ b/security/advisory/pdsa-2023-002.md @@ -0,0 +1,33 @@ +## PDSA-2023-002: Null pointer dereference in paddle.flip + +### CVE Number + +CVE-2023-38670 + +### Impact + +`paddle.flip` segfaults with a nullptr dereference. The PoC is as follows: + +```python +import paddle +import numpy as np +from paddle import flip + +x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 2, 3]).astype(np.int64)), +axis = paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, [3, 3]).astype(np.int32)) + +flip(x, axis) +``` + +### Patches + +We have patched the issue in commit [ed96baeed19b4e11b6cbc2dcc6776245ba5fab13](https://github.com/PaddlePaddle/Paddle/commit/ed96baeed19b4e11b6cbc2dcc6776245ba5fab13). +The fix will be included in PaddlePaddle 2.5.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of ShanghaiTech University. diff --git a/security/advisory/pdsa-2023-002_cn.md b/security/advisory/pdsa-2023-002_cn.md new file mode 100644 index 00000000000..8df476d5e3b --- /dev/null +++ b/security/advisory/pdsa-2023-002_cn.md @@ -0,0 +1,33 @@ +## PDSA-2023-002: Null pointer dereference in paddle.flip + +### CVE编号 + +CVE-2023-38670 + +### 影响 + +`paddle.flip`中存在空指针解引用,将导致程序运行时崩溃,PoC代码如下: + +```python +import paddle +import numpy as np +from paddle import flip + +x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 2, 3]).astype(np.int64)), +axis = paddle.to_tensor(np.random.uniform(-2147483648, 2147483647, [3, 3]).astype(np.int32)) + +flip(x, axis) +``` + +### 补丁 + +我们在commit [ed96baeed19b4e11b6cbc2dcc6776245ba5fab13](https://github.com/PaddlePaddle/Paddle/commit/ed96baeed19b4e11b6cbc2dcc6776245ba5fab13)中对此问题进行了补丁。 +修复将包含在飞桨2.5.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of ShanghaiTech University 提交。 diff --git a/security/advisory/pdsa-2023-003.md b/security/advisory/pdsa-2023-003.md new file mode 100644 index 00000000000..3007e86790a --- /dev/null +++ b/security/advisory/pdsa-2023-003.md @@ -0,0 +1,35 @@ +## PDSA-2023-003: Heap buffer overflow in paddle.trace + +### CVE Number + +CVE-2023-38671 + +### Impact + +`paddle.trace` has a heap buffer overflow. The PoC is as follows: + +```python +import paddle +import numpy as np +from paddle import trace + +x = paddle.to_tensor(np.random.uniform(-10, 10, [2, 2, 2]).astype(np.float64)) +offset = paddle.to_tensor(np.random.uniform(-10, 10, []).astype(np.int32)) +axis1 = paddle.to_tensor(np.random.uniform(-6666666, -2, []).astype(np.int32)) +axis2 = paddle.to_tensor(np.random.uniform(-6666666, -2, []).astype(np.int32)) + +trace(x, offset, axis1, axis2) +``` + +### Patches + +We have patched the issue in commit [12549dfe3e87a4c30f852d2eca81d7f67c8daa87](https://github.com/PaddlePaddle/Paddle/commit/12549dfe3e87a4c30f852d2eca81d7f67c8daa87). +The fix will be included in PaddlePaddle 2.5.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of ShanghaiTech University. diff --git a/security/advisory/pdsa-2023-003_cn.md b/security/advisory/pdsa-2023-003_cn.md new file mode 100644 index 00000000000..be66eb29b69 --- /dev/null +++ b/security/advisory/pdsa-2023-003_cn.md @@ -0,0 +1,35 @@ +## PDSA-2023-003: Heap buffer overflow in paddle.trace + +### CVE编号 + +CVE-2023-38671 + +### 影响 + +`paddle.trace`中存在堆溢出漏洞,PoC代码如下: + +```python +import paddle +import numpy as np +from paddle import trace + +x = paddle.to_tensor(np.random.uniform(-10, 10, [2, 2, 2]).astype(np.float64)) +offset = paddle.to_tensor(np.random.uniform(-10, 10, []).astype(np.int32)) +axis1 = paddle.to_tensor(np.random.uniform(-6666666, -2, []).astype(np.int32)) +axis2 = paddle.to_tensor(np.random.uniform(-6666666, -2, []).astype(np.int32)) + +trace(x, offset, axis1, axis2) +``` + +### 补丁 + +我们在commit [12549dfe3e87a4c30f852d2eca81d7f67c8daa87](https://github.com/PaddlePaddle/Paddle/commit/12549dfe3e87a4c30f852d2eca81d7f67c8daa87)中对此问题进行了补丁。 +修复将包含在飞桨2.5.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of ShanghaiTech University 提交。 diff --git a/security/advisory/pdsa-2023-004.md b/security/advisory/pdsa-2023-004.md new file mode 100644 index 00000000000..04fb0ae9e15 --- /dev/null +++ b/security/advisory/pdsa-2023-004.md @@ -0,0 +1,32 @@ +## PDSA-2023-004: FPE in paddle.linalg.matrix_power + +### CVE Number + +CVE-2023-38672 + +### Impact + +When dim contains 0, `paddle.linalg.matrix_power` will trigger a float point exception. The PoC is as follows: + +```python +import paddle +import numpy as np +from paddle.linalg import matrix_power + +x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 1, 0, 0]).astype(np.float32)) + +matrix_power(x, -1) +``` + +### Patches + +We have patched the issue in commit [09926af166b060c9a9845c309110d3baa82921fd](https://github.com/PaddlePaddle/Paddle/commit/09926af166b060c9a9845c309110d3baa82921fd). +The fix will be included in PaddlePaddle 2.5.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Tong Liu of ShanghaiTech University. diff --git a/security/advisory/pdsa-2023-004_cn.md b/security/advisory/pdsa-2023-004_cn.md new file mode 100644 index 00000000000..c31c4da4f87 --- /dev/null +++ b/security/advisory/pdsa-2023-004_cn.md @@ -0,0 +1,32 @@ +## PDSA-2023-004: FPE in paddle.linalg.matrix_power + +### CVE编号 + +CVE-2023-38672 + +### 影响 + +当张量包含纬度值为0的情况,`paddle.linalg.matrix_power`会触发除0异常,导致程序运行时崩溃,PoC代码如下: + +```python +import paddle +import numpy as np +from paddle.linalg import matrix_power + +x = paddle.to_tensor(np.random.uniform(-10, 10, [1, 1, 0, 0]).astype(np.float32)) + +matrix_power(x, -1) +``` + +### 补丁 + +我们在commit [09926af166b060c9a9845c309110d3baa82921fd](https://github.com/PaddlePaddle/Paddle/commit/09926af166b060c9a9845c309110d3baa82921fd)中对此问题进行了补丁。 +修复将包含在飞桨2.5.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Tong Liu of ShanghaiTech University 提交。 diff --git a/security/advisory/pdsa-2023-005.md b/security/advisory/pdsa-2023-005.md new file mode 100644 index 00000000000..b196b48e05a --- /dev/null +++ b/security/advisory/pdsa-2023-005.md @@ -0,0 +1,29 @@ +## PDSA-2023-005: Command injection in fs.py + +### CVE Number + +CVE-2023-38673 + +### Impact + +`os.system` in fs.py can lead to command injection. The PoC is as follows: + +```python +from paddle.distributed.fleet.utils import LocalFS + +client = LocalFS() +client.mkdirs("hi;pwd;") +``` + +### Patches + +We have patched the issue in commit [2bfe358043096fdba9e2a4cf0f5740102b37fd8f](https://github.com/PaddlePaddle/Paddle/commit/2bfe358043096fdba9e2a4cf0f5740102b37fd8f). +The fix will be included in PaddlePaddle 2.5.0. + +### For more information + +Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. + +### Attribution + +This vulnerability has been reported by Xiaochen Guo from Huazhong University of Science and Technology. diff --git a/security/advisory/pdsa-2023-005_cn.md b/security/advisory/pdsa-2023-005_cn.md new file mode 100644 index 00000000000..74b67fad732 --- /dev/null +++ b/security/advisory/pdsa-2023-005_cn.md @@ -0,0 +1,29 @@ +## PDSA-2023-005: Command injection in fs.py + +### CVE编号 + +CVE-2023-38673 + +### 影响 + +fs.py中的功能函数存在命令注入,可以执行任意命令,PoC代码如下: + +```python +from paddle.distributed.fleet.utils import LocalFS + +client = LocalFS() +client.mkdirs("hi;pwd;") +``` + +### 补丁 + +我们在commit [2bfe358043096fdba9e2a4cf0f5740102b37fd8f](https://github.com/PaddlePaddle/Paddle/commit/2bfe358043096fdba9e2a4cf0f5740102b37fd8f)中对此问题进行了补丁。 +修复将包含在飞桨2.5.0版本当中。 + +### 更多信息 + +请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息,以及如何与我们联系问题。 + +### 贡献者 + +此漏洞由 Xiaochen Guo from Huazhong University of Science and Technology 提交。 -- GitLab