Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 906106 (CVE-2023-2617, CVE-2023-2618)

Summary: <media-libs/opencv-4.8.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, gstreamer, negril.nx+gentoo, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/34544
https://github.com/gentoo/gentoo/pull/34624
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:18:25 UTC 
CVE-2023-2618 (https://vuldb.com/?id.228548):
https://github.com/opencv/opencv_contrib/pull/3484
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

A vulnerability, which was classified as problematic, has been found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this issue is the function DecodedBitStreamParser::decodeHanziSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to memory leak. The attack may be launched remotely. The name of the patch is 2b62ff6181163eea029ed1cab11363b4996e9cd6. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-228548.

CVE-2023-2617 (https://vuldb.com/?id.228547):
https://github.com/opencv/opencv_contrib/pull/3480
https://gist.github.com/GZTimeWalker/3ca70a8af2f5830711e9cccc73fb5270

A vulnerability classified as problematic was found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this vulnerability is the function DecodedBitStreamParser::decodeByteSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-228547.

Are these vulnerabilities in our distribution of OpenCV?
Comment 1 Hans de Graaff gentoo-dev Security 2023-12-30 08:16:22 UTC 
As far as I can tell these were fixed in 4.8.0 (based on the merged commits and release tags upstream). I could not find release notes for opencv_contrib.

The opencv_contrib package is part of our media-libs/opencv package via the contrib USE flag.
Comment 2 Hans de Graaff gentoo-dev Security 2023-12-30 08:54:03 UTC 
Cc'ing gstreamer maintainers because cleanup for this package depends on the cleanup of media-plugins/gst-plugins-opencv-1.20*.
Comment 3 Larry the Git Cow gentoo-dev 2024-01-03 21:28:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea50a5c540e7e8730230b9a54521173c4ea0d521

commit ea50a5c540e7e8730230b9a54521173c4ea0d521
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-01-03 20:58:50 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-01-03 21:28:37 +0000

    media-libs/opencv: Cleanup vulnerable <4.8.0 and overshadowed 4.8.0
    
    Bug: https://bugs.gentoo.org/906106
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/opencv/Manifest                         |   4 -
 .../files/opencv-4.6.0-fix-build-examples.patch    |  21 -
 .../opencv/files/opencv-4.6.0-fix-ffmpeg-5.patch   |  19 -
 media-libs/opencv/opencv-4.6.0-r4.ebuild           | 582 --------------------
 media-libs/opencv/opencv-4.7.0-r1.ebuild           | 584 --------------------
 media-libs/opencv/opencv-4.7.0.ebuild              | 581 --------------------
 media-libs/opencv/opencv-4.8.0.ebuild              | 585 ---------------------
 7 files changed, 2376 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4ddd3554b1f7b5a40976557fc136553a9731bd8

commit b4ddd3554b1f7b5a40976557fc136553a9731bd8
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-01-03 20:58:27 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-01-03 21:28:36 +0000

    media-plugins/gst-plugins-opencv: drop 1.20.5, 1.20.6
    
    Bug: https://bugs.gentoo.org/906106
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-plugins/gst-plugins-opencv/Manifest          |  2 -
 ...plugins-bad-1.20.1-use-system-libs-opencv.patch | 95 ----------------------
 .../gst-plugins-opencv-1.20.5.ebuild               | 31 -------
 .../gst-plugins-opencv-1.20.6.ebuild               | 31 -------
 4 files changed, 159 deletions(-)
Comment 4 Andreas Sturmlechner gentoo-dev 2024-01-03 23:12:20 UTC 
Cleanup done, security team, please do your magic.