CVE-2017-12862 — Improper Restriction of Operations within the Bounds of a Memory Buffer in OpenC

Description

In modules/imgcodecs/src/grfmt_pxm.cpp, the length of buffer AutoBuffer _src is small than expected, which will cause copy buffer overflow later. If the image is from remote, may lead to remote code execution or denial of service. This affects Opencv 3.3 and earlier.

How to fix CVE-2017-12862

To remediate CVE-2017-12862, upgrade the affected package to a fixed version below.

—upgrade to 3.2.0+dfsg-6 or later
—upgrade to 3.3.1.11 or later
—upgrade to 3.3.1.11 or later

Is CVE-2017-12862 being exploited?

Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.2.0+dfsg-6
from 0, < 3.3.1.11
from 0, < 3.3.1.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-12862
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-12862
PATCHgithub.com/opencv/opencv-python
WEBgithub.com/opencv/opencv/issues/9370
WEBgithub.com