First Last Prev Next    This bug is not in your last search results.
Bug 1144352 - (CVE-2019-14491) VUL-1: CVE-2019-14491: opencv: An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read in the function cv:predictOrdered<cv:HaarEvaluator>, leading to DOS
(CVE-2019-14491)
VUL-1: CVE-2019-14491: opencv: An issue was discovered in OpenCV before 3.4.7...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/238720/
CVSSv2:NVD:CVE-2019-14491:6.4:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-05 15:49 UTC by Wolfgang Frisch
Modified: 2022-01-12 14:45 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
opencv-321c74ccd6077bdea1d47450ca4fe955cb5b6330-fixes-CVE-2019-14491-and-CVE-2019-14492.patch (5.32 KB, patch)
2019-08-05 16:07 UTC, Wolfgang Frisch 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-08-05 15:49:53 UTC 
CVE-2019-14491

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an
out of bounds read in the function cv::predictOrdered<cv::HaarEvaluator> in
modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14491
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14491.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14491
https://github.com/opencv/opencv/compare/371bba8...ddbd10c
https://github.com/opencv/opencv/issues/15125
https://github.com/opencv/opencv/compare/33b765d...4a7ca5a
Comment 1 Wolfgang Frisch 2019-08-05 16:07:17 UTC 
Following source code investigation, I conclude that opencv-3.3.1, shipped in SUSE:SLE-15:Update, is vulnerable.

Upstream patch for OpenCV-3.x:
https://github.com/opencv/opencv/pull/15150
Comment 2 Wolfgang Frisch 2019-08-05 16:07:43 UTC 
Created attachment 812841 [details]
opencv-321c74ccd6077bdea1d47450ca4fe955cb5b6330-fixes-CVE-2019-14491-and-CVE-2019-14492.patch
Comment 6 Swamp Workflow Management 2019-12-05 20:14:18 UTC 
SUSE-SU-2019:3192-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1144348,1144352,1149742,1154091
CVE References: CVE-2019-14491,CVE-2019-14492,CVE-2019-15939
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    opencv-3.3.1-6.6.1
SUSE Linux Enterprise Workstation Extension 15 (src):    opencv-3.3.1-6.6.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    opencv-3.3.1-6.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    opencv-3.3.1-6.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    opencv-3.3.1-6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-12-11 14:16:04 UTC 
openSUSE-SU-2019:2671-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1144348,1144352,1149742,1154091
CVE References: CVE-2019-14491,CVE-2019-14492,CVE-2019-15939
Sources used:
openSUSE Leap 15.1 (src):    opencv-3.3.1-lp151.6.3.1
Comment 8 Swamp Workflow Management 2020-07-08 13:15:06 UTC 
SUSE-SU-2019:3192-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1144348,1144352,1149742,1154091
CVE References: CVE-2019-14491,CVE-2019-14492,CVE-2019-15939
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    opencv-3.3.1-6.6.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    opencv-3.3.1-6.6.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    opencv-3.3.1-6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Wolfgang Frisch 2020-10-19 16:12:19 UTC 
Released.
First Last Prev Next    This bug is not in your last search results.