Bug 25855

Summary: opencv new security issues CVE-2019-1449[12] and CVE-2019-15939
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, geiger.david68210, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: opencv-3.4.5-2.mga7.src.rpm CVE: CVE-2019-14491, CVE-2019-14492, CVE-2019-15939
Status comment:

Description David Walser 2019-12-11 00:18:43 CET 
SUSE has issued an advisory on December 5:
http://lists.suse.com/pipermail/sle-security-updates/2019-December/006214.html

The CVE-2019-1449[12] issues only affect Mageia 7 and are fixed in 3.4.7.

CVE-2019-15939 affects Mageia 7 and Cauldron.
David Walser 2019-12-11 00:19:03 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-11 11:26:33 CET 
I think this now has no formal maintainer, so assigning globally; CC DavidG for recent maintenance of the pkg.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210

Comment 2 David Walser 2019-12-12 20:11:08 CET 
Updated packages uploaded by Nicolas.  Advisory to come later.

libopencv_core3.4-3.4.5-2.1.mga7
libopencv_imgcodecs3.4-3.4.5-2.1.mga7
libopencv_imgproc3.4-3.4.5-2.1.mga7
libopencv_highgui3.4-3.4.5-2.1.mga7
libopencv_ml3.4-3.4.5-2.1.mga7
libopencv_flann3.4-3.4.5-2.1.mga7
libopencv_calib3d3.4-3.4.5-2.1.mga7
libopencv_features2d3.4-3.4.5-2.1.mga7
libopencv_video3.4-3.4.5-2.1.mga7
libopencv_objdetect3.4-3.4.5-2.1.mga7
libopencv_dnn3.4-3.4.5-2.1.mga7
libopencv_photo3.4-3.4.5-2.1.mga7
libopencv_shape3.4-3.4.5-2.1.mga7
libopencv_stitching3.4-3.4.5-2.1.mga7
libopencv_videoio3.4-3.4.5-2.1.mga7
libopencv_videostab3.4-3.4.5-2.1.mga7
libopencv_superres3.4-3.4.5-2.1.mga7
libopencv_aruco3.4-3.4.5-2.1.mga7
libopencv_bgsegm3.4-3.4.5-2.1.mga7
libopencv_bioinspired3.4-3.4.5-2.1.mga7
libopencv_ccalib3.4-3.4.5-2.1.mga7
libopencv_datasets3.4-3.4.5-2.1.mga7
libopencv_dnn_objdetect3.4-3.4.5-2.1.mga7
libopencv_dpm3.4-3.4.5-2.1.mga7
libopencv_freetype3.4-3.4.5-2.1.mga7
libopencv_fuzzy3.4-3.4.5-2.1.mga7
libopencv_hfs3.4-3.4.5-2.1.mga7
libopencv_img_hash3.4-3.4.5-2.1.mga7
libopencv_line_descriptor3.4-3.4.5-2.1.mga7
libopencv_optflow3.4-3.4.5-2.1.mga7
libopencv_phase_unwrapping3.4-3.4.5-2.1.mga7
libopencv_plot3.4-3.4.5-2.1.mga7
libopencv_reg3.4-3.4.5-2.1.mga7
libopencv_rgbd3.4-3.4.5-2.1.mga7
libopencv_saliency3.4-3.4.5-2.1.mga7
libopencv_stereo3.4-3.4.5-2.1.mga7
libopencv_structured_light3.4-3.4.5-2.1.mga7
libopencv_surface_matching3.4-3.4.5-2.1.mga7
libopencv_text3.4-3.4.5-2.1.mga7
libopencv_tracking3.4-3.4.5-2.1.mga7
libopencv_ximgproc3.4-3.4.5-2.1.mga7
libopencv_xobjdetect3.4-3.4.5-2.1.mga7
libopencv_xphoto3.4-3.4.5-2.1.mga7
opencv-devel-3.4.5-2.1.mga7
python2-opencv-3.4.5-2.1.mga7
python3-opencv-3.4.5-2.1.mga7
opencv-samples-3.4.5-2.1.mga7

from opencv-3.4.5-2.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => nicolas.salguero

Comment 3 David Walser 2019-12-12 23:37:26 CET 
openSUSE has issued an advisory for this on December 11:
https://lists.opensuse.org/opensuse-updates/2019-12/msg00073.html
Comment 4 Nicolas Salguero 2019-12-13 08:46:37 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read in the function cv::predictOrdered<cv::HaarEvaluator> in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service. (CVE-2019-14491)

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service. (CVE-2019-14492)

An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp. (CVE-2019-15939)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14491
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15939
http://lists.suse.com/pipermail/sle-security-updates/2019-December/006214.html
https://lists.opensuse.org/opensuse-updates/2019-12/msg00073.html

Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-14491, CVE-2019-14492, CVE-2019-15939
Source RPM: opencv-3.4.7-2.mga8.src.rpm => opencv-3.4.5-2.mga7.src.rpm

Comment 5 Brian Rockwell 2019-12-23 16:08:32 CET 
I synched to my repo and cannot find this out there.  Tried a different repo and the same.  Can you confirm this was replicated out to the US repos?

CC: (none) => brtians1

Comment 6 David Walser 2019-12-23 16:11:05 CET 
Yes, mirrors.kernel.org has it.
Herman Viaene 2019-12-24 11:04:46 CET

CC: (none) => herman.viaene

Comment 8 Herman Viaene 2019-12-24 11:25:11 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Tried to replicate the test in bug 10815Cmment 12, but ....
$ g++ -lopencv_core -lopencv_imgproc -lopencv_highgui -o edge /usr/share/OpenCV/samples/cpp/edge.cpp
/usr/bin/ld: /tmp/ccyugjKM.o: undefined reference to symbol '_ZN2cv6imreadERKNS_6StringEi'
/usr/bin/ld: /usr/lib64/libopencv_imgcodecs.so.3.4: error adding symbols: DSO missing from command line
collect2: error: ld retuned exit-status 1
Comment 9 David Walser 2019-12-24 17:00:59 CET 
Try this (you'll need opencv-devel installed):
g++ $(pkg-config --libs opencv) -o edge /usr/share/OpenCV/samples/cpp/edge.cpp
Comment 10 David Walser 2019-12-27 04:29:27 CET 
Fedora reference for one of the CVEs from December 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HPFLN6QAX6SUA4XR4NMKKXX26H3TYCVQ/

Severity: normal => major

Comment 11 Len Lawrence 2020-01-05 19:07:03 CET 
Having a look at the CVEs for this.
First results, before updates.

Mageia7, x86_64

Installed all the packages and dependencies.

$ g++ $(pkg-config --libs opencv) -o edge /usr/share/OpenCV/samples/cpp/edge.cpp
$ file edge
edge: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3dae70f7264983d2b57440cc608362a5c8478d4d, for GNU/Linux 3.2.0, with debug_info, not stripped
$ ./edge

This sample demonstrates Canny edge detection
Call:
    /.edge [image_name -- Default is fruits.jpg]

[ WARN:0] cv::samples::findFile('fruits.jpg') => '/usr/share/OpenCV/samples/data/fruits.jpg'

This generated a couple of interactive gui frames showing textured slices of citrus fruit with different line colours.  The sliders change the threshold, which alters the visibility of the objects.

CVE-2019-14991
https://github.com/opencv/opencv/issues/15125
gunzip, untar PoC file.
Compile the classifier script.
$ g++ $(pkg-config --libs opencv) -o classifier classifier.cc
$ ./classifier appname.bmp @@
Load haarcascade_eye.xml failed!
The upstream asan test ends with an ABORT>

CC: (none) => tarazed25

Comment 12 Len Lawrence 2020-01-05 20:10:50 CET 
*Before updates*

CVE-2019-14991
Following on from comment 11:

Not properly awake - the PoC test lacked the PoC file!
Repeating:
$ ./classifier appname.bmp 'int@cascadedetect.hpp:515-17___out-of-bounds-read'
Segmentation fault (core dumped)

CVE-2019-14492
https://github.com/opencv/opencv/issues/15124
The PoC uses the same C++ and bitmap files as before - checked that with diff - so the compilation is probably redundant.
$ g++ $(pkg-config --libs opencv) -o classifier classifier.cc
$ ./classifier appname.bmp 'cv::HaarEvaluator::OptFeature::calc@cascadedetect.hpp:395-29___out-of-bounds-read'
<No obvious problem>

CVE-2019-15939
https://github.com/OpenCV/opencv/issues/15287
$ g++ $(pkg-config --libs opencv) -o hog hog.cc
$ ./hog timg.jpeg getDescriptorSize__FPE
Floating point exception (core dumped)

Updated everything and ran the PoC tests again.
Recompiled the test scripts.

*After updates*

CVE-2019-14991
$ ./classifier appname.bmp 'int@cascadedetect.hpp:515-17___out-of-bounds-read'
terminate called after throwing an instance of 'cv::Exception'
  what():  OpenCV(3.4.5) /home/iurt/rpmbuild/BUILD/opencv-3.4.5/modules/objdetect/src/cascadedetect.cpp:568: error: (-2:Unspecified error) in function 'bool cv::HaarEvaluator::Feature::read(const cv::FileNode&, const Size&)'
> Invalid HAAR feature (expected: 'rw.r.x < W'), where
>     'rw.r.x' is 2147483647
> must be less than
>     'W' is 20

Aborted (core dumped)
<different>

CVE-2019-14492
$ ./classifier appname.bmp 'cv::HaarEvaluator::OptFeature::calc@cascadedetect.hpp:395-29___out-of-bounds-read'
terminate called after throwing an instance of 'cv::Exception'
  what():  OpenCV(3.4.5) /home/iurt/rpmbuild/BUILD/opencv-3.4.5/modules/objdetect/src/cascadedetect.cpp:568: error: (-2:Unspecified error) in function 'bool cv::HaarEvaluator::Feature::read(const cv::FileNode&, const Size&)'
> Invalid HAAR feature (expected: 'rw.r.x < W'), where
>     'rw.r.x' is 2147483647
> must be less than
>     'W' is 20

Aborted (core dumped)
<Also different>

CVE-2019-15939
$ ./hog timg.jpeg getDescriptorSize__FPE
terminate called after throwing an instance of 'cv::Exception'
  what():  OpenCV(3.4.5) /home/iurt/rpmbuild/BUILD/opencv-3.4.5/modules/objdetect/src/hog.cpp:157: error: (-215:Assertion failed) !cellSize.empty() in function 'read'

Aborted (core dumped)
<different>

The tests afterwards seem to produce more detail and the applications crash but perhaps there is no need for a test script to exit gracefully.


Recompiled edge.cc and ran it.  It works just as before.
With apologies for standing on Herman's foot, passing this for 64-bits.

Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2020-01-11 23:16:24 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 13 Mageia Robot 2020-01-12 00:53:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0030.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED