Re: freeimage and CVE-2019-12214

To: Cyrille Bollu <cyrille@bollu.be>
Cc: Ola Lundqvist <ola@inguza.com>, debian-lts@lists.debian.org
Subject: Re: freeimage and CVE-2019-12214
From: Ola Lundqvist <ola@inguza.com>
Date: Fri, 12 Apr 2024 12:00:44 +0200
Message-id: <[🔎] CABY6=0nwrZi-pEtm_L3ZS+oo6n_MG-CCdy5_hSrg195sdfg8QQ@mail.gmail.com>
In-reply-to: <[🔎] 26ea86161a4a68fac908b7cb230d2e1df090dd2c.camel@bollu.be>
References: <[🔎] f71a4a36ec2c245ae72b613394cd2ef3b9d0199b.camel@bollu.be> <[🔎] CABY6=0n9TmC+QiwJJbW7yb-ZWe=KP5Ww4VLgvrnmgwHcgNUocQ@mail.gmail.com> <[🔎] 26ea86161a4a68fac908b7cb230d2e1df090dd2c.camel@bollu.be>

Hi Cyrille

See below.

On Fri, 12 Apr 2024 at 10:44, Cyrille Bollu <cyrille@bollu.be> wrote:
>
>
> >Thank you! Do you mean that freeimage copy in those files during the
> >build process?
>
> If you download the tarball at
> https://freeimage.sourceforge.io/download.html you'll find that the,
> once unzipped, it contains a 'Source/LibOpenJPEG' folder that contains
> about the same files as
> https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2,
> though older.

I see. The thing is that if you take the buster version that is not the case.

ola@buster-lts:~/build/freeimage-3.18.0+ds2$ ls Source/LibOpenJPEG
ls: cannot access 'Source/LibOpenJPEG': No such file or directory

ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i open
./Examples/OpenGL
./Examples/OpenGL/TextureManager
./Examples/OpenGL/TextureManager/readme.txt
./Examples/OpenGL/TextureManager/TextureManager.h
./Examples/OpenGL/TextureManager/TextureManager.cpp
ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i jpeg
./Wrapper/FreeImage.NET/cs/Library/Enumerations/FREE_IMAGE_JPEG_OPERATION.cs
./.pc/Disable-testing-of-JPEG-transform.patch
./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI
./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI/testJPEG.cpp
./.pc/Disable-vendored-dependencies.patch/Source/FreeImage/PluginJPEG.cpp
./debian/patches/Disable-testing-of-JPEG-transform.patch
./Source/FreeImage/PluginJPEG.cpp
./TestAPI/testJPEG.cpp

> So, I guess they've copied them manually, even before the build.

Looks so, but not in the buster version.

> >If you could update the notes for this CVE it would be nice. I
> >started
> >but realized that I had more questions and then it is better if you
> >do
> >it who knows the answer.
>
> Ok, I'll crete a PR

Thank you.

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: freeimage and CVE-2019-12214
  - From: santiago <santiagorr@riseup.net>
- Re: freeimage and CVE-2019-12214
  - From: Cyrille Bollu <cyrille@bollu.be>

References:
- freeimage and CVE-2019-12214
  - From: Cyrille Bollu <cyrille@bollu.be>
- Re: freeimage and CVE-2019-12214
  - From: Ola Lundqvist <ola@inguza.com>
- Re: freeimage and CVE-2019-12214
  - From: Cyrille Bollu <cyrille@bollu.be>

Prev by Date: Re: freeimage and CVE-2019-12214
Next by Date: Re: freeimage and CVE-2019-12214
Previous by thread: Re: freeimage and CVE-2019-12214
Next by thread: Re: freeimage and CVE-2019-12214
Index(es):
- Date
- Thread