Re: How to handle freeimage package
On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote:
>...
> On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón
> <santiagorr@riseup.net> wrote:
> ...
> > Taking one of the recent changes to data/CVE/list:
> >
> > @@ -6999,6 +7000,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0
> > - freeimage <unfixed> (bug #1068461)
> > [bookworm] - freeimage <no-dsa> (Revisit when fixed upstream)
> > [bullseye] - freeimage <no-dsa> (Revisit when fixed upstream)
> > + [buster] - freeimage <postponed> (Revisit when fixed upstream, low severity DoS in tool)
> > NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909
> >
> > Are you completely sure the related buffer overflow doesn't make
> > possible to cause arbitrary code execution.
>
> Can one be completely sure about anything? So, no I'm not completely
> sure. I have worked long enough to learn that even if I think I'm
> right I may not be.
The only thing you can be sure about is that the PoC reproduces the CVE
without your fix, and does no longer reproduce it with your fix.
> I'm pretty sure that the ones that mention code execution are more severe.
>...
I'm pretty sure this is not a realistic assumption.
Everyone who has done CVE fixing in recent years knows that fuzzer CVEs
are relatively nice to handle since they usually come with a PoC and
tend to have a short fix, but the CVE descriptions are often garbage
since many of the CVE reporters do not have any clue how an exploit
would work.
> // Ola
cu
Adrian
Reply to: