CVE-2023-2618 (https://vuldb.com/?id.228548): https://github.com/opencv/opencv_contrib/pull/3484 https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6 A vulnerability, which was classified as problematic, has been found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this issue is the function DecodedBitStreamParser::decodeHanziSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to memory leak. The attack may be launched remotely. The name of the patch is 2b62ff6181163eea029ed1cab11363b4996e9cd6. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-228548. CVE-2023-2617 (https://vuldb.com/?id.228547): https://github.com/opencv/opencv_contrib/pull/3480 https://gist.github.com/GZTimeWalker/3ca70a8af2f5830711e9cccc73fb5270 A vulnerability classified as problematic was found in OpenCV wechat_qrcode Module up to 4.7.0. Affected by this vulnerability is the function DecodedBitStreamParser::decodeByteSegment of the file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-228547. Are these vulnerabilities in our distribution of OpenCV?
As far as I can tell these were fixed in 4.8.0 (based on the merged commits and release tags upstream). I could not find release notes for opencv_contrib. The opencv_contrib package is part of our media-libs/opencv package via the contrib USE flag.
Cc'ing gstreamer maintainers because cleanup for this package depends on the cleanup of media-plugins/gst-plugins-opencv-1.20*.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea50a5c540e7e8730230b9a54521173c4ea0d521 commit ea50a5c540e7e8730230b9a54521173c4ea0d521 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-01-03 20:58:50 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-01-03 21:28:37 +0000 media-libs/opencv: Cleanup vulnerable <4.8.0 and overshadowed 4.8.0 Bug: https://bugs.gentoo.org/906106 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/opencv/Manifest | 4 - .../files/opencv-4.6.0-fix-build-examples.patch | 21 - .../opencv/files/opencv-4.6.0-fix-ffmpeg-5.patch | 19 - media-libs/opencv/opencv-4.6.0-r4.ebuild | 582 -------------------- media-libs/opencv/opencv-4.7.0-r1.ebuild | 584 -------------------- media-libs/opencv/opencv-4.7.0.ebuild | 581 -------------------- media-libs/opencv/opencv-4.8.0.ebuild | 585 --------------------- 7 files changed, 2376 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4ddd3554b1f7b5a40976557fc136553a9731bd8 commit b4ddd3554b1f7b5a40976557fc136553a9731bd8 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-01-03 20:58:27 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-01-03 21:28:36 +0000 media-plugins/gst-plugins-opencv: drop 1.20.5, 1.20.6 Bug: https://bugs.gentoo.org/906106 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-plugins/gst-plugins-opencv/Manifest | 2 - ...plugins-bad-1.20.1-use-system-libs-opencv.patch | 95 ---------------------- .../gst-plugins-opencv-1.20.5.ebuild | 31 ------- .../gst-plugins-opencv-1.20.6.ebuild | 31 ------- 4 files changed, 159 deletions(-)
Cleanup done, security team, please do your magic.