>Cyrille, would you mind submitting your update to MITRE instead? Done
Le lundi 15 avril 2024 à 10:29 -0300, Santiago Ruano Rincón a écrit : > Hi, > > Cyrille, thank you for checking this. However, I don't think the > contact > address you had sent the email is correct. > CVE is maintained by MITRE (not NIST). And there exist several CNAs > that > could issue CVE IDs for specific products/domains. > According to https://www.cve.org/CVERecord?id=CVE-2019-12214, that > CVE > was assigned by MITRE Corporation. > > According to https://cve.mitre.org/ (or https://www.cve.org/), the > correct way to request an update in a CVE entry assigned by MITRE is > filling out the form that you can find at: > https://cveform.mitre.org/, > choosing the appropriate request type. > > Cyrille, would you mind submitting your update to MITRE instead? > > > Ola, the changes you have made to the security-tracker have been > reverted by Salvatore. See dd2656be1f868274d60b1f38aa7a884e3c8123f2. > Please, let us know if would you like to propose a proper update. I > think it is worth to mention the finding in #947478. > > Thank you, > > El 14/04/24 a las 13:39, Ola Lundqvist escribió: > > Hi Cyrille > > > > Thank you very much. > > > > I'll update the security tracker accordingly. > > > > // Ola > > > > On Sun, 14 Apr 2024 at 12:24, Cyrille Bollu <cyri...@bollu.be> > > wrote: > > > > > Hi, > > > > > > I've performed a more thoroughful investigation and have informed > > > NIST > > > that the offending line is actually to be found in openjpeg > > > between > > > version 2.0.0 up to (excluding) 2.1.0. > > > > > > Debian Buster isn't affected as it uses version 2.3.0-2+deb10u2. > > > > > > Hereunder copy of the email I've sent ot NIST. > > > > > > Best regards, > > > > > > Cyrille > > > > > > > Message-ID: > > > > <981f8fc77d9e0fee8399a19e6e4c9c64ceeea9a7.ca...@bollu.be> > > > > Subject: CVE-2019-12214: missing vulnerable configuration > > > > From: Cyrille Bollu <cyri...@bollu.be> > > > > To: cpe_diction...@nist.gov > > > > Date: Sun, 14 Apr 2024 12:01:43 +0200 > > > > Content-Type: text/plain; charset="UTF-8" > > > > Content-Transfer-Encoding: quoted-printable > > > > User-Agent: Evolution 3.46.4-2 > > > > MIME-Version: 1.0 > > > > X-Evolution-Identity: 953def08ae37ee7006cd76b472f065ecb205f7e1 > > > > X-Evolution-Fcc: > > > > folder://d19e895bfc6f11c136a14747fb40c471b2a393e7/Sent > > > > X-Evolution-Transport: 80f305883d50f910e4b81fcb40b6c46360542068 > > > > X-Evolution-Source: > > > > > > > > Dear NIST, > > > > > > > > As part of an investigation performed on-behalf of Debian-LTS > > > > team, > > > > I've found out that CVE-2019-12214 is actualy located in code > > > > from the > > > > openjpeg project (https://github.com/uclouvain/openjpeg) which > > > > freeimage copied in its source tree. > > > > > > > > The offending line, "memcpy(l_cp->ppm_data_current, > > > > p_header_data, > > > > l_N_ppm);", has been introduced in version 2.0.0 (see > > > > > > > https://github.com/uclouvain/openjpeg/archive/refs/tags/version.2.0.tar.gz > > > ) > > > > and removed in version 2.1.1 (see > > > > https://github.com/uclouvain/openjpeg/archive/refs/tags/v2.1.1.tar.gz > > > > ) > > > . > > > > > > > > So, all intermediatory versions (version 2.0.0 included) might > > > > be > > > > vulnerables (I haven't investigated more than just the presence > > > > of > > > > absence of this line though). > > > > > > > > I think it's worth updating CVE-2019-12214 with this > > > > information. > > > > > > > > Best regards, > > > > > > > > Cyrille Bollu > > > > > > Le samedi 13 avril 2024 à 09:56 +0200, Cyrille a écrit : > > > > I don’t know anything about your procedures, but I don’t see > > > > why we > > > > wouldn’t… > > > > > > > > I would also contact NIST (or whoever is in charge of the CVE > > > > database; I can’t remember by heart who it is) to let them know > > > > this, > > > > so they update the CVE’s vulnerable configurations. I’ll try to > > > > do > > > > that next week, but I will probably first have to find out > > > > which > > > > exact versions of openjpeg2 have been affected (which will > > > > probably > > > > be quite difficult for me) > > > > > > > > Nice week-end > > > > > > > > Cyrille > > > > > > > > > Le 13 avr. 2024 à 00:22, Ola Lundqvist <o...@inguza.com> a > > > > > écrit : > > > > > > > > > > Hi Cyrille > > > > > > > > > > > On Fri, 12 Apr 2024 at 16:32, Cyrille Bollu > > > > > > <cyri...@bollu.be> > > > > > > wrote: > > > > > > > > > > > > Hi Ola, > > > > > > > > > > > > Thank you for your help. > > > > > > > > > > > > So, IIUC: > > > > > > > > > > > > 1. CVE-2019-12214 shouldn't be assigned to freeimage in > > > > > > Debian > > > > > > Buster; > > > > > > 2. CVE-2019-12214 might be assigned to source package > > > > > > openjpeg2 > > > > > > or > > > > > > openjpeg (the later doesn't seem to be available in Buster > > > > > > though) > > > > > > > > > > Yes, potentially so. At least if I understand the email from > > > > > Santiago correctly. > > > > > > > > > > freeimage build depends on libopenjp2-7-dev which is built > > > > > from > > > > > openjpeg2 so in buster it is openjpeg2 where it should > > > > > belong. > > > > > > > > > > But I do not know whether we typically re-assign things like > > > > > this > > > > > or > > > > > not so I do not want to give advice for this. Better if > > > > > someone > > > > > else > > > > > who knows the practice answers this. > > > > > > > > > > // Ola > > > > > > > > > > -- > > > > > --- Inguza Technology AB --- MSc in Information Technology -- > > > > > -- > > > > > > o...@inguza.com > > > > > > o...@debian.org | > > > > > > http://inguza.com/ Mobile: +46 (0)70-332 > > > > > > 1551 | > > > > > ------------------------------------------------------------- > > > > > -- > > > > > > > > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > > o...@inguza.com o...@debian.org | > > > http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > ---------------------------------------------------------------
