High severity OpenCV buffer overflow vulnerabilities

Cisco’s Talos security group has released details on two High severity buffer overflow vulnerabilities that affect OpenCV libraries.

Talos said the vulnerabilities impact the OpenCV libraries, currently maintained by the non-profit organization OpenCV.org. OpenCV is used in numerous apps, such as those used for facial recognition, robotics, motion tracking and motion tracking software. Intel originally developed OpenCV in 1999.

The two OpenCV vulnerabilities (CVE-2019-5063 and CVE-2019-5064) each affect OpenCV 4.1.0 and sport a High severity rating and CVSS base score of 8.8.

In the first advisory, a persistence parser buffer overflow vulnerability CVE-2019-5063 affects OpenCV JSON:

“A specially crafted JSON file can cause a buffer overflow, resulting in multiple heap corruptions and potentially code execution. An attacker can provide a specially crafted file to trigger this vulnerability.”

In the second advisory, another persistence parser buffer overflow vulnerability CVE-2019-5064 affects OpenCV XML.

Similarly, an attacker could create a specially crafted XML file and trigger a buffer overflow condition. As a result, the issue could then result in multiple heap corruptions and potential code execution.

Talos initially notified the vendor of the issues in July 2019. The issues were subsequently patched on December 19, 2019.