Re: freeimage and CVE-2019-12214

To: Ola Lundqvist <ola@inguza.com>
Cc: debian-lts@lists.debian.org
Subject: Re: freeimage and CVE-2019-12214
From: Cyrille Bollu <cyrille@bollu.be>
Date: Fri, 12 Apr 2024 16:32:16 +0200
Message-id: <[🔎] 7354d8940d0393d86ca78cf93b50429a4980fe3d.camel@bollu.be>
In-reply-to: <[🔎] CABY6=0nwrZi-pEtm_L3ZS+oo6n_MG-CCdy5_hSrg195sdfg8QQ@mail.gmail.com>
References: <[🔎] f71a4a36ec2c245ae72b613394cd2ef3b9d0199b.camel@bollu.be> <[🔎] CABY6=0n9TmC+QiwJJbW7yb-ZWe=KP5Ww4VLgvrnmgwHcgNUocQ@mail.gmail.com> <[🔎] 26ea86161a4a68fac908b7cb230d2e1df090dd2c.camel@bollu.be> <[🔎] CABY6=0nwrZi-pEtm_L3ZS+oo6n_MG-CCdy5_hSrg195sdfg8QQ@mail.gmail.com>

Hi Ola,

Thank you for your help.

So, IIUC:

1. CVE-2019-12214 shouldn't be assigned to freeimage in Debian Buster;
2. CVE-2019-12214 might be assigned to source package openjpeg2 or
openjpeg (the later doesn't seem to be available in Buster though)

Cyrille

Le vendredi 12 avril 2024 à 12:00 +0200, Ola Lundqvist a écrit :
> Hi Cyrille
> 
> See below.
> 
> On Fri, 12 Apr 2024 at 10:44, Cyrille Bollu <cyrille@bollu.be> wrote:
> > 
> > 
> > > Thank you! Do you mean that freeimage copy in those files during
> > > the
> > > build process?
> > 
> > If you download the tarball at
> > https://freeimage.sourceforge.io/download.html you'll find that
> > the,
> > once unzipped, it contains a 'Source/LibOpenJPEG' folder that
> > contains
> > about the same files as
> > https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2,
> > though older.
> 
> I see. The thing is that if you take the buster version that is not
> the case.
> 
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ ls Source/LibOpenJPEG
> ls: cannot access 'Source/LibOpenJPEG': No such file or directory
> 
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i open
> ./Examples/OpenGL
> ./Examples/OpenGL/TextureManager
> ./Examples/OpenGL/TextureManager/readme.txt
> ./Examples/OpenGL/TextureManager/TextureManager.h
> ./Examples/OpenGL/TextureManager/TextureManager.cpp
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i jpeg
> ./Wrapper/FreeImage.NET/cs/Library/Enumerations/FREE_IMAGE_JPEG_OPERA
> TION.cs
> ./.pc/Disable-testing-of-JPEG-transform.patch
> ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI
> ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI/testJPEG.cpp
> ./.pc/Disable-vendored-
> dependencies.patch/Source/FreeImage/PluginJPEG.cpp
> ./debian/patches/Disable-testing-of-JPEG-transform.patch
> ./Source/FreeImage/PluginJPEG.cpp
> ./TestAPI/testJPEG.cpp
> 
> > So, I guess they've copied them manually, even before the build.
> 
> Looks so, but not in the buster version.
> 
> > > If you could update the notes for this CVE it would be nice. I
> > > started
> > > but realized that I had more questions and then it is better if
> > > you
> > > do
> > > it who knows the answer.
> > 
> > Ok, I'll crete a PR
> 
> Thank you.
> 
> // Ola
>

Reply to:

Follow-Ups:
- Re: freeimage and CVE-2019-12214
  - From: Ola Lundqvist <ola@inguza.com>

References:
- freeimage and CVE-2019-12214
  - From: Cyrille Bollu <cyrille@bollu.be>
- Re: freeimage and CVE-2019-12214
  - From: Ola Lundqvist <ola@inguza.com>
- Re: freeimage and CVE-2019-12214
  - From: Cyrille Bollu <cyrille@bollu.be>
- Re: freeimage and CVE-2019-12214
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: freeimage and CVE-2019-12214
Next by Date: Re: freeimage and CVE-2019-12214
Previous by thread: Re: freeimage and CVE-2019-12214
Next by thread: Re: freeimage and CVE-2019-12214
Index(es):
- Date
- Thread