Shulou(Shulou.com)05/31 Report--

What are the two high-risk vulnerabilities found by Cisco Talos in the OpenCV library? I believe many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problems. Through this article, I hope you can solve this problem.

Maintainers of the OpenCV library fixed two high-risk buffer overflow vulnerabilities that could be exploited by attackers to execute arbitrary code.

OpenCV is a cross-platform computer vision library released under the BSD license (open source) that can run on Linux, Windows, Android, and Mac OS operating systems. Many large companies, including Google, Microsoft, Intel, IBM, Yahoo, Sony, Honda, Toyota and so on, use OpenCV library to develop facial recognition technology, robot technology, motion tracking technology and so on.

Cisco Talos researchers found two buffer overflow vulnerabilities in OpenCV version 4.1.0. The CVE numbers of these two vulnerabilities are CVE-2019-5063 and CVE-2019-5064, respectively.

CVE-2019-5063 is a heap buffer overflow vulnerability that exists in OpenCV's data structure persistence function. This feature allows developers to write OpenCV data structures to and retrieve data structures from files on disk. An attacker can exploit this vulnerability to cause multiple heap corruption and execute code with a specially crafted XML file.

CVE-2019-5064 also exists in OpenCV's data structure persistence function, which can be triggered by an attacker with a specially crafted JSON file. The expert explained that when parsing a JSON file with null bytes, the file was copied to the buffer, while the OpenCV library failed to check whether the JSON value overflowed the target buffer.

OpenCV.org, which maintains the library, released the OpenCV4.2.0 version at the end of December 2019, fixing these two vulnerabilities.

After reading the above, have you mastered the methods of the two high-risk vulnerabilities found by Cisco Talos in the OpenCV library? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.