Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

opencv: CVE-2019-5063 and CVE-2019-5064

Related Vulnerabilities: CVE-2019-5063   CVE-2019-5064  

Source

Debian Bug report logs - #948180
opencv: CVE-2019-5063 and CVE-2019-5064

version graph

Package: opencv; Maintainer for opencv is Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>;

Reported by: Markus Koschany <apo@debian.org>

Date: Sat, 4 Jan 2020 23:33:06 UTC

Severity: grave

Tags: security

Found in version 4.1.2+dfsg-5

Fixed in version 4.2.0+dfsg-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Forwarded to https://github.com/opencv/opencv/issues/15857

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#948180; Package opencv. (Sat, 04 Jan 2020 23:33:08 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Sat, 04 Jan 2020 23:33:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: submit@bugs.debian.org
Subject: opencv: CVE-2019-5063 and CVE-2019-5064
Date: Sun, 5 Jan 2020 00:32:54 +0100
[Message part 1 (text/plain, inline)]
Package: opencv
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for opencv.

CVE-2019-5064[0]:
| An exploitable heap buffer overflow vulnerability exists in the data
| structure persistence functionality of OpenCV, version 4.1.0. A
| specially crafted JSON file can cause a buffer overflow, resulting in
| multiple heap corruptions and potentially code execution. An attacker
| can provide a specially crafted file to trigger this vulnerability.


CVE-2019-5063[1]:
| An exploitable heap buffer overflow vulnerability exists in the data
| structure persistence functionality of OpenCV 4.1.0. A specially
| crafted XML file can cause a buffer overflow, resulting in multiple
| heap corruptions and potential code execution. An attacker can provide
| a specially crafted file to trigger this vulnerability.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5064
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5064
[1] https://security-tracker.debian.org/tracker/CVE-2019-5063
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5063

Please adjust the affected versions in the BTS as needed.

Regards,

Markus


[signature.asc (application/pgp-signature, attachment)]

Marked as fixed in versions 4.2.0+dfsg-1. Request was from Markus Koschany <apo@debian.org> to control@bugs.debian.org. (Sat, 04 Jan 2020 23:45:05 GMT) (full text, mbox, link).

Marked as found in versions 4.1.2+dfsg-5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Jan 2020 05:48:03 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Jan 2020 05:48:04 GMT) (full text, mbox, link).

Notification sent to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer. (Sun, 05 Jan 2020 05:48:05 GMT) (full text, mbox, link).

Message sent on to Markus Koschany <apo@debian.org>:
Bug#948180. (Sun, 05 Jan 2020 05:48:10 GMT) (full text, mbox, link).

Message #16 received at 948180-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 948180-submitter@bugs.debian.org
Subject: found 948180 in 4.1.2+dfsg-5, closing 948180
Date: Sun, 05 Jan 2020 06:44:05 +0100
found 948180 4.1.2+dfsg-5
close 948180 4.2.0+dfsg-1
thanks

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#948180; Package opencv. (Sun, 05 Jan 2020 12:30:02 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Sun, 05 Jan 2020 12:30:02 GMT) (full text, mbox, link).

Message #21 received at 948180@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 948180@bugs.debian.org
Subject: Re: Bug#948180: found 948180 in 4.1.2+dfsg-5, closing 948180
Date: Sun, 5 Jan 2020 13:26:37 +0100
[Message part 1 (text/plain, inline)]
Am 05.01.20 um 06:44 schrieb Salvatore Bonaccorso:
> found 948180 4.1.2+dfsg-5
> close 948180 4.2.0+dfsg-1
> thanks

You could have kept the bug report open until the issue is really fixed
in unstable. I didn't see the new version in experimental until after I
filed the bug report but sometimes such versions will stay there a long
time for various reasons. There are tools like apt-listbugs that will
warn unstable users about RC bugs but only if someone files bug reports.

Regards,

Markus



[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#948180; Package opencv. (Sun, 05 Jan 2020 12:42:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Sun, 05 Jan 2020 12:42:05 GMT) (full text, mbox, link).

Message #26 received at 948180@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Markus Koschany <apo@debian.org>
Cc: 948180@bugs.debian.org
Subject: Re: Bug#948180: found 948180 in 4.1.2+dfsg-5, closing 948180
Date: Sun, 5 Jan 2020 13:39:22 +0100
Hi Markus,

On Sun, Jan 05, 2020 at 01:26:37PM +0100, Markus Koschany wrote:
> Am 05.01.20 um 06:44 schrieb Salvatore Bonaccorso:
> > found 948180 4.1.2+dfsg-5
> > close 948180 4.2.0+dfsg-1
> > thanks
> 
> You could have kept the bug report open until the issue is really fixed
> in unstable. I didn't see the new version in experimental until after I
> filed the bug report but sometimes such versions will stay there a long
> time for various reasons. There are tools like apt-listbugs that will
> warn unstable users about RC bugs but only if someone files bug reports.

The BTS (ans various tools) can handle the version tracking (and even
close a bug with multiple versions, this is actually what for instance
happends if a fix goes in as well via stable and oldstable and
contains a respective bug closer as well) -- this is the reason why I
first marked 4.1.2+dfsg-5 as found (which contains the bug), and then
one can close the bug (BTS will still see that it's unfixed in
unstable accordingly).

So either the fix then goes in by cherry-picking fixes for unstable on
top of 4.1.2+dfsg-5 or it goes in via a subsequent upload to unstable
of the 4.2.0 version.

See as well the respective graph the BTS know: https://bugs.debian.org/cgi-bin/version.cgi?absolute=0;fixed=4.2.0%2Bdfsg-1;found=4.1.2%2Bdfsg-5;info=1;package=opencv;collapse=1

HTH,

Regards,
Salvatore

Set Bug forwarded-to-address to 'https://github.com/opencv/opencv/issues/15857'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Jan 2020 12:51:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#948180; Package opencv. (Sun, 05 Jan 2020 13:18:02 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Sun, 05 Jan 2020 13:18:02 GMT) (full text, mbox, link).

Message #33 received at 948180@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 948180@bugs.debian.org
Subject: Re: Bug#948180: found 948180 in 4.1.2+dfsg-5, closing 948180
Date: Sun, 5 Jan 2020 14:15:41 +0100
[Message part 1 (text/plain, inline)]
Am 05.01.20 um 13:39 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Sun, Jan 05, 2020 at 01:26:37PM +0100, Markus Koschany wrote:
>> Am 05.01.20 um 06:44 schrieb Salvatore Bonaccorso:
>>> found 948180 4.1.2+dfsg-5
>>> close 948180 4.2.0+dfsg-1
>>> thanks
>>
>> You could have kept the bug report open until the issue is really fixed
>> in unstable. I didn't see the new version in experimental until after I
>> filed the bug report but sometimes such versions will stay there a long
>> time for various reasons. There are tools like apt-listbugs that will
>> warn unstable users about RC bugs but only if someone files bug reports.
> 
> The BTS (ans various tools) can handle the version tracking (and even
> close a bug with multiple versions, this is actually what for instance
> happends if a fix goes in as well via stable and oldstable and
> contains a respective bug closer as well) -- this is the reason why I
> first marked 4.1.2+dfsg-5 as found (which contains the bug), and then
> one can close the bug (BTS will still see that it's unfixed in
> unstable accordingly).
> 
> So either the fix then goes in by cherry-picking fixes for unstable on
> top of 4.1.2+dfsg-5 or it goes in via a subsequent upload to unstable
> of the 4.2.0 version.
> 
> See as well the respective graph the BTS know: https://bugs.debian.org/cgi-bin/version.cgi?absolute=0;fixed=4.2.0%2Bdfsg-1;found=4.1.2%2Bdfsg-5;info=1;package=opencv;collapse=1

By closing the bug report it disappeared from

https://tracker.debian.org/pkg/opencv

There is no "action required" bullet point and the RC bug count is zero
now. The bug is also marked as resolved now.

https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=opencv

I know the BTS but it was completely sufficient to mark the bug as fixed
in experimental, you didn't have to close it. People usually don't look
up the BTS graph to understand if their version is affected and they
will check the most obvious places first. If bugs are getting closed in
stable and oldstable, then those have been fixed in nearly all cases in
unstable as well already.

Markus



[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#948180; Package opencv. (Sun, 05 Jan 2020 14:24:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Sun, 05 Jan 2020 14:24:05 GMT) (full text, mbox, link).

Message #38 received at 948180@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Markus Koschany <apo@debian.org>
Cc: 948180@bugs.debian.org
Subject: Re: Bug#948180: found 948180 in 4.1.2+dfsg-5, closing 948180
Date: Sun, 5 Jan 2020 15:21:53 +0100
Hi Markus,

On Sun, Jan 05, 2020 at 02:15:41PM +0100, Markus Koschany wrote:
> 
> Am 05.01.20 um 13:39 schrieb Salvatore Bonaccorso:
> > Hi Markus,
> > 
> > On Sun, Jan 05, 2020 at 01:26:37PM +0100, Markus Koschany wrote:
> >> Am 05.01.20 um 06:44 schrieb Salvatore Bonaccorso:
> >>> found 948180 4.1.2+dfsg-5
> >>> close 948180 4.2.0+dfsg-1
> >>> thanks
> >>
> >> You could have kept the bug report open until the issue is really fixed
> >> in unstable. I didn't see the new version in experimental until after I
> >> filed the bug report but sometimes such versions will stay there a long
> >> time for various reasons. There are tools like apt-listbugs that will
> >> warn unstable users about RC bugs but only if someone files bug reports.
> > 
> > The BTS (ans various tools) can handle the version tracking (and even
> > close a bug with multiple versions, this is actually what for instance
> > happends if a fix goes in as well via stable and oldstable and
> > contains a respective bug closer as well) -- this is the reason why I
> > first marked 4.1.2+dfsg-5 as found (which contains the bug), and then
> > one can close the bug (BTS will still see that it's unfixed in
> > unstable accordingly).
> > 
> > So either the fix then goes in by cherry-picking fixes for unstable on
> > top of 4.1.2+dfsg-5 or it goes in via a subsequent upload to unstable
> > of the 4.2.0 version.
> > 
> > See as well the respective graph the BTS know: https://bugs.debian.org/cgi-bin/version.cgi?absolute=0;fixed=4.2.0%2Bdfsg-1;found=4.1.2%2Bdfsg-5;info=1;package=opencv;collapse=1
> 
> By closing the bug report it disappeared from
> 
> https://tracker.debian.org/pkg/opencv
> 
> There is no "action required" bullet point and the RC bug count is zero
> now. The bug is also marked as resolved now.
> 
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=opencv
> 
> I know the BTS but it was completely sufficient to mark the bug as fixed
> in experimental, you didn't have to close it. People usually don't look
> up the BTS graph to understand if their version is affected and they
> will check the most obvious places first. If bugs are getting closed in
> stable and oldstable, then those have been fixed in nearly all cases in
> unstable as well already.

Right, both approaches have their legitimations. I hear your arguments
and I value your opinion. And I have as well explained my position.
So, if you think there is more benefit in only mark it as fixed then
feel free to reopen it removing the closed status and close the bug
only once the fix entered unstable.

Downside: There is slight chance that then the bug will not be closed,
and will continue to be marked as unresolved, see #924884 for an
example what I mean, which I now just closed retrospectively.

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jan 8 10:27:15 2020; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started