Bug 27831

Summary: opencv possible new security issue CVE-2019-19624
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-19624
Whiteboard:
Source RPM: opencv-3.4.5-2.1.mga7.src.rpm CVE:
Status comment:

Description Zombie Ryushu 2020-12-15 15:19:37 CET 
An out-of-bounds read was discovered in OpenCV before 4.1.1. Specifically, variable coarsest_scale is assumed to be greater than or equal to finest_scale within the calc()/ocl_calc() functions in dis_flow.cpp. However, this is not true when dealing with small images, leading to an out-of-bounds read of the heap-allocated arrays Ux and Uy.
Comment 1 David Walser 2020-12-15 17:11:11 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19624

Finding conflicting information on this.  Debian and Ubuntu have a version with 3.2.0 and they think it's vulnerable, but Red Hat says 3.4.10 is not:
https://bugzilla.redhat.com/show_bug.cgi?id=1780543#c11

Summary: opencv security issue CVE-2019-19624 => opencv possible new security issue CVE-2019-19624

Comment 2 Lewis Smith 2020-12-15 20:26:39 CET 
Opencv has no obvious maintainer, so having to assign this globally.

Assignee: bugsquad => pkg-bugs
Source RPM: opencv-3.4.5-2.1.mga7.src => opencv-3.4.5-2.1.mga7.src.rpm

Comment 3 Nicolas Lécureuil 2021-03-10 21:54:51 CET 
from https://github.com/opencv/opencv/issues/14554  our version is not affected.

I looked to debian "fixed" version and there is no commits/patches for this CVE

CC: (none) => mageia
Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 4 David Walser 2021-03-10 22:01:28 CET 
INVALID then.  Debian has no fixes because they haven't attempted to fix it...

Resolution: FIXED => INVALID