OpenCV using old and vulnerable libraries libtiff/libpng/libjpeg (Bug #585)
| Status: | Done | Start date: | |
|---|---|---|---|
| Priority: | Low | Due date: | |
| Assignee: |  Vadim Pisarevsky |
% Done: | 0% |
| Category: | highgui-images | ||
| Target version: | - | ||
| Affected version: | Operating System: | ||
| Difficulty: | HW Platform: | ||
| Pull request: |
Description
OpenCV is using some outdated 3rd party libraries including libtiff, libpng and libjpeg which all have known vulnerabilities such as potential code execution. I would recommend updating these libraries to a recent version.
I would also recommend reviewing the other 3rd party libraries to see if they have any known vulnerabilities.
Looking at the readme.txt in the 3rd party directory, these libraries appear to be built only in Windows environments. It does appear that Fedora Linux at least uses the system libraries instead. But I am not knowledgable about the OpenCV build process.
Associated revisions
Merge pull request #585 from bitwangyaoyao:2.4_SURF
History
Updated by Nicu Stiurca about 14 years ago
Regarding the last paragraph, I can confirm that on Ubuntu 10.10 it uses the system libraries. However, the 3rd party libraries are indeed built from the included source for Android builds, so there is a potential security issue there. (If the vulnerabilities rely on x86-specific properties, then it might to apply to Android since devices running Android use ARM processors.)
Updated by Vadim Pisarevsky almost 14 years ago
in 2.2 the 3d-party libs have been updated to reasonably modern versions
- Status changed from Open to Done
- (deleted custom field) set to fixed
Updated by Andrey Kamaev almost 13 years ago
- Category set to highgui-images
- Assignee set to Vadim Pisarevsky