Bug 1160887 (CVE-2019-9423) - VUL-0: CVE-2019-9423: opencv: out of bounds write due to missing bounds check
Summary: VUL-0: CVE-2019-9423: opencv: out of bounds write due to missing bounds check
Status: RESOLVED FIXED
Alias: CVE-2019-9423
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/243794/
Whiteboard: CVSSv2:NVD:CVE-2019-9423:4.6:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-14 10:31 UTC by Wolfgang Frisch
Modified: 2024-05-22 14:28 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Wolfgang Frisch 2020-01-14 10:32:42 UTC 
CVE-2019-9423

In opencv calls that use libpng, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges required. User interaction is not required for exploitation.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1789427
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9423
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9423.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9423
https://source.android.com/security/bulletin/android-10
http://www.openwall.com/lists/oss-security/2019/10/25/17
http://www.openwall.com/lists/oss-security/2019/10/27/1
http://www.openwall.com/lists/oss-security/2019/11/07/1
Comment 2 Wolfgang Frisch 2020-01-14 10:34:33 UTC 
No details as of 2020-01-14.
Comment 4 Wolfgang Frisch 2020-07-23 07:31:04 UTC 
Still no further information available. Deferring.
Comment 5 Wolfgang Frisch 2021-05-06 16:17:55 UTC 
Still nothing. Deferred.
Comment 6 Andrea Mattiazzo 2024-05-22 14:28:18 UTC 
All done, closing.