Re: freeimage and CVE-2019-12214

Fri, 12 Apr 2024 07:32:46 -0700 

Hi Ola,

Thank you for your help.
So, IIUC:

1. CVE-2019-12214 shouldn't be assigned to freeimage in Debian Buster;
2. CVE-2019-12214 might be assigned to source package openjpeg2 or
openjpeg (the later doesn't seem to be available in Buster though)

Cyrille

Le vendredi 12 avril 2024 à 12:00 +0200, Ola Lundqvist a écrit :
> Hi Cyrille
> 
> See below.
> 
> On Fri, 12 Apr 2024 at 10:44, Cyrille Bollu <cyri...@bollu.be> wrote:
> > 
> > 
> > > Thank you! Do you mean that freeimage copy in those files during
> > > the
> > > build process?
> > 
> > If you download the tarball at
> > https://freeimage.sourceforge.io/download.html you'll find that
> > the,
> > once unzipped, it contains a 'Source/LibOpenJPEG' folder that
> > contains
> > about the same files as
> > https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2,
> > though older.
> 
> I see. The thing is that if you take the buster version that is not
> the case.
> 
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ ls Source/LibOpenJPEG
> ls: cannot access 'Source/LibOpenJPEG': No such file or directory
> 
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i open
> ./Examples/OpenGL
> ./Examples/OpenGL/TextureManager
> ./Examples/OpenGL/TextureManager/readme.txt
> ./Examples/OpenGL/TextureManager/TextureManager.h
> ./Examples/OpenGL/TextureManager/TextureManager.cpp
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i jpeg
> ./Wrapper/FreeImage.NET/cs/Library/Enumerations/FREE_IMAGE_JPEG_OPERA
> TION.cs
> ./.pc/Disable-testing-of-JPEG-transform.patch
> ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI
> ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI/testJPEG.cpp
> ./.pc/Disable-vendored-
> dependencies.patch/Source/FreeImage/PluginJPEG.cpp
> ./debian/patches/Disable-testing-of-JPEG-transform.patch
> ./Source/FreeImage/PluginJPEG.cpp
> ./TestAPI/testJPEG.cpp
> 
> > So, I guess they've copied them manually, even before the build.
> 
> Looks so, but not in the buster version.
> 
> > > If you could update the notes for this CVE it would be nice. I
> > > started
> > > but realized that I had more questions and then it is better if
> > > you
> > > do
> > > it who knows the answer.
> > 
> > Ok, I'll crete a PR
> 
> Thank you.
> 
> // Ola
>

Reply via email to