#VU38462 Buffer overflow in Debian Linux - CVE-2017-12862

Cybersecurity Help s.r.o.

Published: 2017-08-15 | Updated: 2020-08-08

Vulnerability identifier: #VU38462

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-12862

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Debian Linux
Operating systems & Components / Operating system

Vendor: Debian

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In modules/imgcodecs/src/grfmt_pxm.cpp, the length of buffer AutoBuffer _src is small than expected, which will cause copy buffer overflow later. If the image is from remote, may lead to remote code execution or denial of service. This affects Opencv 3.3 and earlier.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Debian Linux: 8.0

External links
https://github.com/opencv/opencv/issues/9370
https://lists.debian.org/debian-lts-announce/2018/07/msg00030.html
https://security.gentoo.org/glsa/201712-02

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in Debian Linux