Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Talos security advisory for Opencv (TALOS-2019-0852, 0853) #15857

Closed
CiscoTalos opened this issue Nov 6, 2019 · 7 comments · Fixed by #15868
Closed

Talos security advisory for Opencv (TALOS-2019-0852, 0853) #15857

CiscoTalos opened this issue Nov 6, 2019 · 7 comments · Fixed by #15868

Comments

@CiscoTalos
Copy link

The Cisco Talos team found two security vulnerabilities affecting Opencv OpenCV 4.1.0. As this is a sensitive security issue, this message is to request a point of contact to report the detailed report.
Email requests to admin at opencv.org were also sent.

@alalek
Copy link
Member

alalek commented Nov 7, 2019

@CiscoTalos Thank you for the detailed report!

We are able to reproduce problem on OpenCV 4.x releases (up to the latest 4.1.2 release).
OpenCV 3.4.8 is not affected by mentioned problems.

@CiscoTalos
Copy link
Author

Thanks for the update. Do you have a timeline for public disclosure?

@alalek
Copy link
Member

alalek commented Nov 13, 2019

Next release is planned in the end of the year (before 25 Dec).
It would be nice to postpone full disclosure till that.

@CiscoTalos
Copy link
Author

The issue reached 90 days on Oct 22 and we extended through end of this month (November). We can issue a final extension to 2019-12-13 which is 30 days from today for public disclosure.

@CiscoTalos
Copy link
Author

Hello,

If you have an exact date for the release at this time, we will make note and provide an additional extension. You noted before Dec 25, 2019, so it would help to know the exact date.

@CiscoTalos
Copy link
Author

We provided the two week extension to the last communicated date for public disclosure postponement. Please advise status and/or URL for public release. Thanks

@alalek
Copy link
Member

alalek commented Jan 2, 2020

Thank you!
OpenCV 4.2.0 has been released with fix: https://github.com/opencv/opencv/releases/tag/4.2.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment