Bug 47524 – opencv: Multiple issues (4.2)

Bug 47524 - opencv: Multiple issues (4.2)


Summary:	opencv: Multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.2-4-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-08-09 10:17 CEST by Quality Assurance
Modified:	2018-08-15 16:19 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.0 (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2018-08-09 10:17:37 CEST

New Debian opencv 2.4.9.1+dfsg-1+deb8u2 fixes:
This update addresses the following issue(s):
* 
* OpenCV 3.0.0 has a double free issue that allows attackers to execute arbitrary code. (CVE-2016-1516)
CVE_2016-1517 is open
* OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of-bounds write error in the function FillColorRow1 in utils.cpp when reading an image file by using cv::imread. (CVE-2017-12597)
* OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of-bounds read error in the cv::RBaseStream::readBlock function in modules/imgcodecs/src/bitstrm.cpp when reading an image file by using cv::imread, as demonstrated by the 8-opencv-invalid-read-fread test case. (CVE-2017-12598)
* OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of-bounds read error in the function icvCvt_BGRA2BGR_8u_C4C3R when reading an image file by using cv::imread. (CVE-2017-12599)
CVE_2017-12600 is open
* OpenCV (Open Source Computer Vision Library) through 3.3 has a buffer overflow in the cv::BmpDecoder::readData function in modules/imgcodecs/src/grfmt_bmp.cpp when reading an image file by using cv::imread, as demonstrated by the 4-buf-overflow-readData-memcpy test case. (CVE-2017-12601)
CVE_2017-12602 is open
* OpenCV (Open Source Computer Vision Library) through 3.3 has an invalid write in the cv::RLByteStream::getBytes function in modules/imgcodecs/src/bitstrm.cpp when reading an image file by using cv::imread, as demonstrated by the 2-opencv-heapoverflow-fseek test case. (CVE-2017-12603)
* OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of-bounds write error in the FillUniColor function in utils.cpp when reading an image file by using cv::imread. (CVE-2017-12604)
* OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of-bounds write error in the FillColorRow8 function in utils.cpp when reading an image file by using cv::imread. (CVE-2017-12605)
* OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of-bounds write error in the function FillColorRow4 in utils.cpp when reading an image file by using cv::imread. (CVE-2017-12606)
* In modules/imgcodecs/src/grfmt_pxm.cpp, the length of buffer AutoBuffer _src is small than expected, which will cause copy buffer overflow later. If the image is from remote, may lead to remote code execution or denial of service. This affects Opencv 3.3 and earlier. (CVE-2017-12862)
* In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function PxMDecoder::readData has an integer overflow when calculate src_pitch. If the image is from remote, may lead to remote code execution or denial of service. This affects Opencv 3.3 and earlier. (CVE-2017-12863)
* In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ReadNumber did not checkout the input length, which lead to integer overflow. If the image is from remote, may lead to remote code execution or denial of service. This affects Opencv 3.3 and earlier. (CVE-2017-12864)
* OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData function in grfmt_pxm.cpp, because an incorrect size value is used. (CVE-2017-17760)
* In opencv/modules/imgcodecs/src/utils.cpp, functions FillUniColor and FillUniGray do not check the input length, which can lead to integer overflow. If the image is from remote, may lead to remote code execution or denial of service. This affects Opencv 3.3 and earlier. (CVE-2017-1000450)
* In OpenCV 3.3.1, a heap-based buffer overflow happens in cv::Jpeg2KDecoder::readComponent8u in modules/imgcodecs/src/grfmt_jpeg2000.cpp when parsing a crafted image file. (CVE-2018-5268)
* In OpenCV 3.3.1, an assertion failure happens in cv::RBaseStream::setPos in modules/imgcodecs/src/bitstrm.cpp because of an incorrect integer cast. (CVE-2018-5269)
CVE_2018-7712 is open
CVE_2018-7713 is open
CVE_2018-7714 is open

2.4.9.1+dfsg-1+deb8u2 (Sat, 21 Jul 2018 15:03:02 +0200) * Non-maintainer upload by the LTS Team. * fixes for: CVE-2018-5268, CVE-2018-5269 Opencv 3.3 and earlier has problems while reading data, which might result in either buffer overflows. Further assertion errors might happen due to incorrect integer cast. CVE-2017-1000450, CVE-2017-17760 might result in either buffer overflows or integer overflows. * fixes for: (CVE-2017-several.patch) CVE-2017-12597, CVE-2017-12598, CVE-2017-12599, CVE-2017-12601, CVE-2017-12603, CVE-2017-12604, CVE-2017-12605, CVE-2017-12606, CVE-2017-12862, CVE-2017-12863, CVE-2017-12864, CVE-2017-14136, CVE-2016-1516 OpenCV through 3.3 has out-of-bounds read/write errors and buffer overflows in different functions. 
* CVE-2016-1516 opencv: Double free vulnerability on crafted image (CVE-2016-1516)
* CVE-2017-12597 opencv: out-of-bounds write error in the function FillColorRow1 (CVE-2017-12597)
* CVE-2017-12598 opencv: out-of-bounds read error in the cv::RBaseStream::readBlock function (CVE-2017-12598)
* CVE-2017-12599 opencv: out-of-bounds read error in the function icvCvt_BGRA2BGR_8u_C4C3R (CVE-2017-12599)
* CVE-2017-12601 opencv: buffer overflow in the cv::BmpDecoder::readData function (CVE-2017-12601)
* CVE-2017-12603 opencv: invalid write in the cv::RLByteStream::getBytes function (CVE-2017-12603)
* CVE-2017-12604 opencv: out-of-bounds write error in the function FillUniColor (CVE-2017-12604)
* CVE-2017-12605 opencv: out-of-bounds write error in the function FillColorRow8 (CVE-2017-12605)
* CVE-2017-12606 opencv: out-of-bounds write error in the function FillColorRow4 (CVE-2017-12606)
* CVE-2017-12862 opencv: Heap-based buffer over-write in modules/imgcodecs/src/grfmt_pxm.cpp (CVE-2017-12862)
* CVE-2017-12863 opencv: Integer overflow in PxMDecoder::readData function in imgcodecs/src/grfmt_pxm.cpp (CVE-2017-12863)
* CVE-2017-12864 opencv: Integer overflow in ReadNumber function in opencv/modules/imgcodecs/src/grfmt_pxm.cpp (CVE-2017-12864)
* CVE-2017-17760 opencv: Buffer Overflow in the cv::PxMDecoder::readData function in grfmt_pxm.cpp (CVE-2017-17760)
* CVE-2017-1000450 opencv: out of bounds write in functions FillUniColor and FillUniGray in opencv/modules/imgcodecs/src/utils.cpp (CVE-2017-1000450)
* CVE-2018-5268 opencv: Heap-based buffer overflow in cv::Jpeg2KDecoder::readComponent8u (CVE-2018-5268)
* CVE-2018-5269 opencv: Assertion failure due to incorrect integer cast (CVE-2018-5269)
* CVE-2017-14136 opencv: out-of-bounds write error in the function FillColorRow1 (CVE-2017-14136)

Comment 1 Quality Assurance

2018-08-09 18:44:32 CEST

--- mirror/ftp/4.2/unmaintained/4.2-0/source/opencv_2.4.9.1+dfsg-1+deb8u1.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/opencv_2.4.9.1+dfsg-1+deb8u2.dsc
@@ -1,3 +1,23 @@
+2.4.9.1+dfsg-1+deb8u2 [Sat, 21 Jul 2018 15:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the LTS Team. 
+  * fixes for:
+    CVE-2018-5268, CVE-2018-5269
+    Opencv 3.3 and earlier has problems while reading data, which 
+    might result in either buffer overflows. Further assertion errors 
+    might happen due to incorrect integer cast.
+  * fixes for:
+    CVE-2017-1000450, CVE-2017-17760
+    Opencv 3.3 and earlier has problems while reading data, which 
+    might result in either buffer overflows or integer overflows.
+  * fixes for:  (CVE-2017-several.patch)
+    CVE-2017-12597, CVE-2017-12598, CVE-2017-12599, CVE-2017-12601, 
+    CVE-2017-12603, CVE-2017-12604, CVE-2017-12605, CVE-2017-12606,
+    CVE-2017-12862, CVE-2017-12863, CVE-2017-12864, CVE-2017-14136,
+    CVE-2016-1516
+    OpenCV through 3.3 has out-of-bounds read/write errors and buffer 
+    overflows in different functions.
+ 
 2.4.9.1+dfsg-1+deb8u1 [Mon, 25 May 2015 20:19:29 +0200] Sebastian Ramacher <sramacher@debian.org>:
 
   [ Bernhard Übelacker ]

<http://10.200.17.11/4.2-4/#3605217643369560651>

Comment 2 Philipp Hahn

2018-08-10 11:23:24 CEST

OK: yaml
OK: errata-announce
OK: patch
OK: piuparts

[4.2-4] cf1f434e77 Bug #47524: opencv 2.4.9.1+dfsg-1+deb8u2
 doc/errata/staging/opencv.yaml | 69 ++++++++++++++++--------------------------
 1 file changed, 26 insertions(+), 43 deletions(-)

[4.2-4] ba716fe173 Bug #47524: opencv 2.4.9.1+dfsg-1+deb8u2
 doc/errata/staging/opencv.yaml | 69 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

Comment 3 Arvid Requate

2018-08-15 16:19:54 CEST

<http://errata.software-univention.de/ucs/4.2/470.html>