[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to handle freeimage package



On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote:
>...
> On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón
> <santiagorr@riseup.net> wrote:
> ...
> > Taking one of the recent changes to data/CVE/list:
> >
> > @@ -6999,6 +7000,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0
> >         - freeimage <unfixed> (bug #1068461)
> >         [bookworm] - freeimage <no-dsa> (Revisit when fixed upstream)
> >         [bullseye] - freeimage <no-dsa> (Revisit when fixed upstream)
> > +       [buster] - freeimage <postponed> (Revisit when fixed upstream, low severity DoS in tool)
> >         NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909
> >
> > Are you completely sure the related buffer overflow doesn't make
> > possible to cause arbitrary code execution.
> 
> Can one be completely sure about anything? So, no I'm not completely
> sure. I have worked long enough to learn that even if I think I'm
> right I may not be.

The only thing you can be sure about is that the PoC reproduces the CVE 
without your fix, and does no longer reproduce it with your fix.

> I'm pretty sure that the ones that mention code execution are more severe.
>...

I'm pretty sure this is not a realistic assumption.

Everyone who has done CVE fixing in recent years knows that fuzzer CVEs 
are relatively nice to handle since they usually come with a PoC and 
tend to have a short fix, but the CVE descriptions are often garbage 
since many of the CVE reporters do not have any clue how an exploit 
would work.

> // Ola

cu
Adrian


Reply to: