Bug#948180: opencv: CVE-2019-5063 and CVE-2019-5064

Markus Koschany apo at debian.org
Sat Jan 4 23:32:54 GMT 2020


Package: opencv
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for opencv.

CVE-2019-5064[0]:
| An exploitable heap buffer overflow vulnerability exists in the data
| structure persistence functionality of OpenCV, version 4.1.0. A
| specially crafted JSON file can cause a buffer overflow, resulting in
| multiple heap corruptions and potentially code execution. An attacker
| can provide a specially crafted file to trigger this vulnerability.


CVE-2019-5063[1]:
| An exploitable heap buffer overflow vulnerability exists in the data
| structure persistence functionality of OpenCV 4.1.0. A specially
| crafted XML file can cause a buffer overflow, resulting in multiple
| heap corruptions and potential code execution. An attacker can provide
| a specially crafted file to trigger this vulnerability.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5064
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5064
[1] https://security-tracker.debian.org/tracker/CVE-2019-5063
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5063

Please adjust the affected versions in the BTS as needed.

Regards,

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/debian-science-maintainers/attachments/20200105/44b5f72e/attachment-0001.sig>


More information about the debian-science-maintainers mailing list