Re: freeimage and CVE-2019-12214

Fri, 12 Apr 2024 07:24:45 -0700 

Hi,

El 12/04/24 a las 12:00, Ola Lundqvist escribió:
> Hi Cyrille
> 
> See below.
> 
> On Fri, 12 Apr 2024 at 10:44, Cyrille Bollu <[email protected]> wrote:
> >
> >
> > >Thank you! Do you mean that freeimage copy in those files during the
> > >build process?
> >
> > If you download the tarball at
> > https://freeimage.sourceforge.io/download.html you'll find that the,
> > once unzipped, it contains a 'Source/LibOpenJPEG' folder that contains
> > about the same files as
> > https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2,
> > though older.
> 
> I see. The thing is that if you take the buster version that is not the case.
> 
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ ls Source/LibOpenJPEG
> ls: cannot access 'Source/LibOpenJPEG': No such file or directory
> 
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i open
> ./Examples/OpenGL
> ./Examples/OpenGL/TextureManager
> ./Examples/OpenGL/TextureManager/readme.txt
> ./Examples/OpenGL/TextureManager/TextureManager.h
> ./Examples/OpenGL/TextureManager/TextureManager.cpp
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i jpeg
> ./Wrapper/FreeImage.NET/cs/Library/Enumerations/FREE_IMAGE_JPEG_OPERATION.cs
> ./.pc/Disable-testing-of-JPEG-transform.patch
> ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI
> ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI/testJPEG.cpp
> ./.pc/Disable-vendored-dependencies.patch/Source/FreeImage/PluginJPEG.cpp
> ./debian/patches/Disable-testing-of-JPEG-transform.patch
> ./Source/FreeImage/PluginJPEG.cpp
> ./TestAPI/testJPEG.cpp

And I would recommend to check against actual code, even the function
name instead of file names.

sh -c "grep -r j2k_read_ppm_v3 freeimage-3.18.0+ds2/ ; echo \$?"
1

To complement:

freeimage (3.10.0-3) unstable; urgency=low

  * Don't use embedded copies of various libraries, add build-deps on their
    packaged versions (closes: #595560):
    - libjpeg 6b
    - libmng 1.0.9
    - libopenjpeg 1.2.0
    - libpng 1.2.23
      + CVE-2010-2249, CVE-2010-1205, CVE-2010-0205, CVE-2009-2042,
        CVE-2008-6218, CVE-2008-5907, CVE-2009-0040, CVE-2008-3964,
        CVE-2008-1382
    - openexr 1.6.1
      + CVE-2009-1720, CVE-2009-1721
    - zlib 1.2.3
...

Cheers,

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply via email to