Re: freeimage and CVE-2019-12214
>Thank you! Do you mean that freeimage copy in those files during the
>build process?
If you download the tarball at
https://freeimage.sourceforge.io/download.html you'll find that the,
once unzipped, it contains a 'Source/LibOpenJPEG' folder that contains
about the same files as
https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2,
though older.
So, I guess they've copied them manually, even before the build.
>If you could update the notes for this CVE it would be nice. I
>started
>but realized that I had more questions and then it is better if you
>do
>it who knows the answer.
Ok, I'll crete a PR
Cyrille
Le vendredi 12 avril 2024 à 09:24 +0200, Ola Lundqvist a écrit :
> Hi Cyrille
>
> Thank you! Do you mean that freeimage copy in those files during the
> build process?
> If you could update the notes for this CVE it would be nice. I
> started
> but realized that I had more questions and then it is better if you
> do
> it who knows the answer.
>
> No hurry since this is for a postponed issue.
>
> Cheers
>
> // Ola
>
> On Fri, 12 Apr 2024 at 09:15, Cyrille Bollu <cyrille@bollu.be> wrote:
> >
> > FTR,
> >
> > I did a small analysis, and that's for sure that CVE-2019-12214
> > relates
> > to code from openjpeg: Looking at the content of folder
> > "LibOpenJpeg"
> > in freeimage 'source code show exactly the same files as in
> > https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2
> >
> > However, since freeimage copies those files into its source tree
> > rather
> > than relying on shared libraries, it should probably still be
> > listed as
> > a "CPE affected software configuration" for this CVE...
> >
> > BTW, while freeimage might be dead, libopenjpeg is still alive
> >
> > BR,
> >
> > Cyrille
> >
>
>
Reply to: