[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: freeimage and CVE-2019-12214

Hi Cyrille

Thank you! Do you mean that freeimage copy in those files during the
build process?
If you could update the notes for this CVE it would be nice. I started
but realized that I had more questions and then it is better if you do
it who knows the answer.

No hurry since this is for a postponed issue.

Cheers

// Ola

On Fri, 12 Apr 2024 at 09:15, Cyrille Bollu <cyrille@bollu.be> wrote:
>
> FTR,
>
> I did a small analysis, and that's for sure that CVE-2019-12214 relates
> to code from openjpeg: Looking at the content of folder "LibOpenJpeg"
> in freeimage 'source code show exactly the same files as in
> https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2
>
> However, since freeimage copies those files into its source tree rather
> than relying on shared libraries, it should probably still be listed as
> a "CPE affected software configuration" for this CVE...
>
> BTW, while freeimage might be dead, libopenjpeg is still alive
>
> BR,
>
> Cyrille
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
Reply to: