CVE-2019-14492
Publication date 1 August 2019
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
From the Ubuntu Security Team
It was discovered that OpenCV incorrectly handled certain files. An attaacker could possibly use this issue to cause a denial of service.
Status
Package | Ubuntu Release | Status |
---|---|---|
opencv | ||
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Fixed 3.2.0+dfsg-4ubuntu0.1+esm2
|
|
16.04 LTS xenial | Ignored see notes | |
14.04 LTS trusty | Ignored see notes |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
ccdm94
the commit that fixes this issue is the same as the one for CVE-2019-14491. See: https://github.com/opencv/opencv/pull/15150. In xenial and earlier, it is necessary to backport the fix for this CVE. However, changes in the code that have occurred since the release of versions available in xenial and earlier cause this backport to be quite intrusive. To backport and properly apply the patch, it would be necessary to alter library functions that are exported, meaning that it would be necessary to alter their interfaces, which could end up causing regressions in software that uses the opencv library to operate. It also seems like a backported version of the patch does not completely fix the vulnerability, with the POC file causing a similar crash, even after the fix is applied.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4818-1
- OpenCV vulnerabilities
- 28 September 2022