Summary: | <media-libs/opencv-4.1.2: Multiple vulnerabilities (CVE-2019-{14491,14492,14493,15939,16249}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | amynka |
Priority: | Normal | Keywords: | CC-ARCHES, PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=647802 https://github.com/gentoo/gentoo/pull/16397 https://github.com/gentoo/gentoo/pull/15920 |
||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=media-libs/opencv-4.1.2-r3
|
Runtime testing required: | --- |
Description
Sam James
2020-03-02 02:33:59 UTC
CVE-2019-16249 (https://nvd.nist.gov/vuln/detail/CVE-2019-16249): OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp. CVE-2019-15939 (https://nvd.nist.gov/vuln/detail/CVE-2019-15939): An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp. CVE-2019-14493 (https://nvd.nist.gov/vuln/detail/CVE-2019-14493): An issue was discovered in OpenCV before 4.1.1. There is a NULL pointer dereference in the function cv::XMLParser::parse at modules/core/src/persistence.cpp. CVE-2019-14492 (https://nvd.nist.gov/vuln/detail/CVE-2019-14492): An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service. CVE-2019-14491 (https://nvd.nist.gov/vuln/detail/CVE-2019-14491): An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read in the function cv::predictOrdered<cv::HaarEvaluator> in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service. @maintianer(s), please advise if ready for stabilisation, or call yourself. @maintainer(s), is this ready to be stabled? Soap told me to. x86 stable amd64 stable arm64 stable ---- @maintainer(s), please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e00c8edae30e54a80c29fabf1ecac66462a5edde commit e00c8edae30e54a80c29fabf1ecac66462a5edde Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-06-25 07:56:35 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-06-25 17:07:43 +0000 media-libs/opencv: Drop vulnerable 3.4.1-r7 Bug: https://bugs.gentoo.org/711284 Bug: https://bugs.gentoo.org/729504 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/opencv/Manifest | 3 - ...opencv-3.3.0-remove-tiny-dnn-autodownload.patch | 27 -- .../files/opencv-3.4.1-compilation-C-mode.patch | 56 --- .../files/opencv-3.4.1-fix-build-with-va.patch | 26 -- .../opencv/files/opencv-3.4.1-fix-on-x86.patch | 27 -- media-libs/opencv/files/opencv-3.4.1-popcnt.patch | 30 -- .../opencv-3.4.1-python-lib-suffix-hack.patch | 13 - .../opencv/files/opencv-3.4.1-python37.patch | 12 - .../files/opencv-3.4.1-remove-git-autodetect.patch | 42 -- media-libs/opencv/opencv-3.4.1-r7.ebuild | 501 --------------------- 10 files changed, 737 deletions(-) GLSA vote: no Closing. |