Bug 1764731 (CVE-2019-15939)

Summary: CVE-2019-15939 opencv: division by zero in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrew, databases-maint, hhorak, jkucera, jmlich83, jridky, karlthered, kwizart, mrehak, pkajaba, rakesh.pandit, viktor.vix.jancik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: opencv 3.4.8 Doc Type: If docs needed, set a value
Doc Text:
A divide by zero vulnerability was found in OpenCV in the way HOGDescriptor objects are created by loading their properties from a local file. Local files with no "cellSize" property may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted file that, when loaded by a victim, would cause a floating-point exception leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-28 06:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1764732, 1786692, 1786693    
Bug Blocks: 1764734    

Description Guilherme de Almeida Suckevicz 2019-10-23 16:23:09 UTC 
An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp.

References:
https://github.com/OpenCV/opencv/issues/15287
https://github.com/opencv/opencv/pull/15382
Comment 1 Guilherme de Almeida Suckevicz 2019-10-23 16:23:22 UTC 
Created opencv tracking bugs for this issue:

Affects: fedora-all [bug 1764732]
Comment 4 Mauro Matteo Cascella 2019-12-24 11:38:22 UTC 
Upstream fix:
https://github.com/opencv/opencv/pull/15382/commits/5a497077f109d543ab86dfdf8add1c76c0e47d29
Comment 6 Mauro Matteo Cascella 2019-12-27 08:59:15 UTC 
This flaw affects the implementation of Histogram of Oriented Gradients (HOG) Descriptor, an algorithm used internally by OpenCV to detect objects in digital images.

More specifically, method HOGDescriptor::getDescriptorSize() computes the remainder of the division of variables blockSize.width by cellSize.width, without ensuring that the value of cellSize.width is not zero. As a result, the code ends up dividing a value by zero, leading to a floating point exception that ultimately results in a crash of the application.

It is worth noting that those variables are set in method HOGDescriptor::read() when a HOGDescriptor object is created by loading its properties from a local file.
Comment 8 Mauro Matteo Cascella 2019-12-27 09:53:52 UTC 
Mitigation:

Avoid using the Histogram of Oriented Gradients (HOG) Descriptor algorithm to detect objects in digital images. Alternatively, ensure HOGDescriptor objects are not created from external untrusted files.
Comment 9 Nicolas Chauvet (kwizart) 2020-07-28 06:27:42 UTC 
Fixed in 3.4.8 and later Current version in Fedora 31 3.4.10.