Bug 1790059 (CVE-2019-5064)
Summary: | CVE-2019-5064 opencv: Heap buffer overflow in persistence_json.cpp while parsing crafted JSON file | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | andrew, databases-maint, hhorak, jkucera, jmlich83, jridky, karlthered, kwizart, pkajaba, rakesh.pandit, sergio, viktor.vix.jancik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | opencv 4.2.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A heap buffer overflow vulnerability was found in the data structure persistence functionality of OpenCV. Specifically, a specially crafted JSON file could cause a buffer overflow, resulting in multiple heap corruptions and potential code execution. A remote attacker could exploit this flaw by providing a specially crafted JSON file to trigger this vulnerability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-20 16:31:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1790060 | ||
Bug Blocks: | 1790061 |
Description
Pedro Sampaio
2020-01-11 15:05:56 UTC
Created opencv tracking bugs for this issue: Affects: fedora-all [bug 1790060] External References: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0853 Mitigation: Avoid loading OpenCV data structures from external untrusted JSON files. Statement: This flaw did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 6, 7, and 8, as they did not include the vulnerable code, which was introduced in a later version of the library. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5064 |