An important security update has been issued for the OpenCV package in the Debian GNU/Linux 10 (Buster) Extended Long Term Support (ELTS) version. This update addresses multiple vulnerabilities that could potentially compromise the integrity and security of applications utilizing the OpenCV library. The vulnerabilities include critical issues such as buffer overflows, out-of-bounds read and write operations, NULL pointer dereferences, and divide-by-zero errors, which are present in several functions of the OpenCV library.
The specific update details are encapsulated in ELA-1513-1, and the affected package version is 3.2.0+dfsg-6+deb10u1 (Buster). The vulnerabilities are associated with the following Common Vulnerabilities and Exposures (CVEs):
- CVE-2017-18009: A buffer overflow in the `cv::HdrDecoder::checkSignature` function, which could lead to crashes or arbitrary code execution.
- CVE-2019-14491: An out-of-bounds read occurring in the `cv::predictOrdered` function, potentially allowing unauthorized data access.
- CVE-2019-14492: Out-of-bounds read/write vulnerabilities in the `HaarEvaluator::OptFeature::calc` function, which could lead to data corruption.
- CVE-2019-14493: A NULL pointer dereference in the `cv::XMLParser::parse` function, which could result in application crashes.
- CVE-2019-15939: A divide-by-zero error in the `cv::HOGDescriptor::getDescriptorSize` function, which might cause unexpected behavior.
- CVE-2019-19624: An out-of-bounds read in the `calc()` function of `dis_flow.cpp`, particularly when handling small images, posing a risk to system stability.
This update underscores the importance of maintaining up-to-date software, especially in libraries that serve critical functions in computer vision applications. Users and administrators of Debian 10 are strongly advised to apply this security update promptly to mitigate the risks associated with these vulnerabilities.
In addition to applying this update, it is essential to regularly review and audit software dependencies for vulnerabilities, implement best practices for software development, and ensure that security patches are applied consistently to safeguard against potential threats
The specific update details are encapsulated in ELA-1513-1, and the affected package version is 3.2.0+dfsg-6+deb10u1 (Buster). The vulnerabilities are associated with the following Common Vulnerabilities and Exposures (CVEs):
- CVE-2017-18009: A buffer overflow in the `cv::HdrDecoder::checkSignature` function, which could lead to crashes or arbitrary code execution.
- CVE-2019-14491: An out-of-bounds read occurring in the `cv::predictOrdered` function, potentially allowing unauthorized data access.
- CVE-2019-14492: Out-of-bounds read/write vulnerabilities in the `HaarEvaluator::OptFeature::calc` function, which could lead to data corruption.
- CVE-2019-14493: A NULL pointer dereference in the `cv::XMLParser::parse` function, which could result in application crashes.
- CVE-2019-15939: A divide-by-zero error in the `cv::HOGDescriptor::getDescriptorSize` function, which might cause unexpected behavior.
- CVE-2019-19624: An out-of-bounds read in the `calc()` function of `dis_flow.cpp`, particularly when handling small images, posing a risk to system stability.
This update underscores the importance of maintaining up-to-date software, especially in libraries that serve critical functions in computer vision applications. Users and administrators of Debian 10 are strongly advised to apply this security update promptly to mitigate the risks associated with these vulnerabilities.
In addition to applying this update, it is essential to regularly review and audit software dependencies for vulnerabilities, implement best practices for software development, and ensure that security patches are applied consistently to safeguard against potential threats
OpenCV update for Debian 10 ELTS
An update has been released for the OpenCV package in Debian GNU/Linux 10 (Buster) Extended LTS to fix multiple vulnerabilities. The vulnerabilities include buffer overflows, out-of-bounds reads and writes, NULL pointer dereferences, and divide-by-zero errors in various functions of the OpenCV library.
ELA-1513-1 opencv security update
