Debian Bug report logs -
#872044
opencv: CVE-2017-12597 CVE-2017-12598 CVE-2017-12599 CVE-2017-12601 CVE-2017-12603 CVE-2017-12604 CVE-2017-12605 CVE-2017-12606
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#872044
; Package src:opencv
.
(Sun, 13 Aug 2017 19:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
.
(Sun, 13 Aug 2017 19:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: opencv
Version: 2.4.9.1+dfsg1-2
Severity: important
Tags: upstream security
Forwarded: https://github.com/opencv/opencv/issues/9309
Hi,
the following vulnerabilities were published for opencv. I'm still not
filling them as individual bugs, since all are tracked in the upstream
report at [8]. I suggest though to split the bug as eneeded up once
more details are sorted out/and or fixes available making clear the
set of affected versions.
CVE-2017-12597[0]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds write error in the function FillColorRow1 in utils.cpp
| when reading an image file by using cv::imread.
CVE-2017-12598[1]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds read error in the cv::RBaseStream::readBlock function in
| modules/imgcodecs/src/bitstrm.cpp when reading an image file by using
| cv::imread, as demonstrated by the 8-opencv-invalid-read-fread test
| case.
CVE-2017-12599[2]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds read error in the function icvCvt_BGRA2BGR_8u_C4C3R when
| reading an image file by using cv::imread.
CVE-2017-12601[3]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has a buffer
| overflow in the cv::BmpDecoder::readData function in
| modules/imgcodecs/src/grfmt_bmp.cpp when reading an image file by using
| cv::imread, as demonstrated by the 4-buf-overflow-readData-memcpy test
| case.
CVE-2017-12603[4]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an invalid
| write in the cv::RLByteStream::getBytes function in
| modules/imgcodecs/src/bitstrm.cpp when reading an image file by using
| cv::imread, as demonstrated by the 2-opencv-heapoverflow-fseek test
| case.
CVE-2017-12604[5]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds write error in the FillUniColor function in utils.cpp
| when reading an image file by using cv::imread.
CVE-2017-12605[6]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds write error in the FillColorRow8 function in utils.cpp
| when reading an image file by using cv::imread.
CVE-2017-12606[7]:
| OpenCV (Open Source Computer Vision Library) through 3.3 has an
| out-of-bounds write error in the function FillColorRow4 in utils.cpp
| when reading an image file by using cv::imread.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12597
[1] https://security-tracker.debian.org/tracker/CVE-2017-12598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12598
[2] https://security-tracker.debian.org/tracker/CVE-2017-12599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12599
[3] https://security-tracker.debian.org/tracker/CVE-2017-12601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12601
[4] https://security-tracker.debian.org/tracker/CVE-2017-12603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12603
[5] https://security-tracker.debian.org/tracker/CVE-2017-12604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12604
[6] https://security-tracker.debian.org/tracker/CVE-2017-12605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12605
[7] https://security-tracker.debian.org/tracker/CVE-2017-12606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12606
[8] https://github.com/opencv/opencv/issues/9309
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org
.
(Thu, 24 Aug 2017 17:33:16 GMT) (full text, mbox, link).
Marked as fixed in versions opencv/3.2.0+dfsg-5ubuntu1.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Tue, 12 Feb 2019 11:00:17 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Tue, 12 Feb 2019 11:00:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 12 Feb 2019 11:00:18 GMT) (full text, mbox, link).
Marked as fixed in versions opencv/3.4.4+dfsg-1~exp1.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Tue, 12 Feb 2019 11:15:07 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 13 Mar 2019 07:28:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:15:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.