Bug#872044: opencv: CVE-2017-12597 CVE-2017-12598 CVE-2017-12599 CVE-2017-12601 CVE-2017-12603 CVE-2017-12604 CVE-2017-12605 CVE-2017-12606
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 13 18:57:12 UTC 2017
Source: opencv
Version: 2.4.9.1+dfsg1-2
Severity: important
Tags: upstream security
Forwarded: https://github.com/opencv/opencv/issues/9309
Hi,
the following vulnerabilities were published for opencv. I'm still not
filling them as individual bugs, since all are tracked in the upstream
report at [8]. I suggest though to split the bug as eneeded up once
more details are sorted out/and or fixes available making clear the
set of affected versions.
CVE-2017-12597[0]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds write error in the function FillColorRow1 in utils.cpp
| when reading an image file by using cv::imread.
CVE-2017-12598[1]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds read error in the cv::RBaseStream::readBlock function in
| modules/imgcodecs/src/bitstrm.cpp when reading an image file by using
| cv::imread, as demonstrated by the 8-opencv-invalid-read-fread test
| case.
CVE-2017-12599[2]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds read error in the function icvCvt_BGRA2BGR_8u_C4C3R when
| reading an image file by using cv::imread.
CVE-2017-12601[3]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has a buffer
| overflow in the cv::BmpDecoder::readData function in
| modules/imgcodecs/src/grfmt_bmp.cpp when reading an image file by using
| cv::imread, as demonstrated by the 4-buf-overflow-readData-memcpy test
| case.
CVE-2017-12603[4]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an invalid
| write in the cv::RLByteStream::getBytes function in
| modules/imgcodecs/src/bitstrm.cpp when reading an image file by using
| cv::imread, as demonstrated by the 2-opencv-heapoverflow-fseek test
| case.
CVE-2017-12604[5]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds write error in the FillUniColor function in utils.cpp
| when reading an image file by using cv::imread.
CVE-2017-12605[6]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds write error in the FillColorRow8 function in utils.cpp
| when reading an image file by using cv::imread.
CVE-2017-12606[7]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds write error in the function FillColorRow4 in utils.cpp
| when reading an image file by using cv::imread.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12597
[1] https://security-tracker.debian.org/tracker/CVE-2017-12598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12598
[2] https://security-tracker.debian.org/tracker/CVE-2017-12599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12599
[3] https://security-tracker.debian.org/tracker/CVE-2017-12601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12601
[4] https://security-tracker.debian.org/tracker/CVE-2017-12603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12603
[5] https://security-tracker.debian.org/tracker/CVE-2017-12604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12604
[6] https://security-tracker.debian.org/tracker/CVE-2017-12605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12605
[7] https://security-tracker.debian.org/tracker/CVE-2017-12606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12606
[8] https://github.com/opencv/opencv/issues/9309
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the debian-science-maintainers
mailing list