[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: freeimage and CVE-2019-12214

Hi Santiago

Yes that is better. This was just a reply to Cyrille telling that the
package in buster does not have that directory.

// Ola

On Fri, 12 Apr 2024 at 16:24, santiago <santiagorr@riseup.net> wrote:
>
> Hi,
>
> El 12/04/24 a las 12:00, Ola Lundqvist escribió:
> > Hi Cyrille
> >
> > See below.
> >
> > On Fri, 12 Apr 2024 at 10:44, Cyrille Bollu <cyrille@bollu.be> wrote:
> > >
> > >
> > > >Thank you! Do you mean that freeimage copy in those files during the
> > > >build process?
> > >
> > > If you download the tarball at
> > > https://freeimage.sourceforge.io/download.html you'll find that the,
> > > once unzipped, it contains a 'Source/LibOpenJPEG' folder that contains
> > > about the same files as
> > > https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2,
> > > though older.
> >
> > I see. The thing is that if you take the buster version that is not the case.
> >
> > ola@buster-lts:~/build/freeimage-3.18.0+ds2$ ls Source/LibOpenJPEG
> > ls: cannot access 'Source/LibOpenJPEG': No such file or directory
> >
> > ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i open
> > ./Examples/OpenGL
> > ./Examples/OpenGL/TextureManager
> > ./Examples/OpenGL/TextureManager/readme.txt
> > ./Examples/OpenGL/TextureManager/TextureManager.h
> > ./Examples/OpenGL/TextureManager/TextureManager.cpp
> > ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i jpeg
> > ./Wrapper/FreeImage.NET/cs/Library/Enumerations/FREE_IMAGE_JPEG_OPERATION.cs
> > ./.pc/Disable-testing-of-JPEG-transform.patch
> > ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI
> > ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI/testJPEG.cpp
> > ./.pc/Disable-vendored-dependencies.patch/Source/FreeImage/PluginJPEG.cpp
> > ./debian/patches/Disable-testing-of-JPEG-transform.patch
> > ./Source/FreeImage/PluginJPEG.cpp
> > ./TestAPI/testJPEG.cpp
>
> And I would recommend to check against actual code, even the function
> name instead of file names.
>
> sh -c "grep -r j2k_read_ppm_v3 freeimage-3.18.0+ds2/ ; echo \$?"
> 1
>
> To complement:
>
> freeimage (3.10.0-3) unstable; urgency=low
>
>   * Don't use embedded copies of various libraries, add build-deps on their
>     packaged versions (closes: #595560):
>     - libjpeg 6b
>     - libmng 1.0.9
>     - libopenjpeg 1.2.0
>     - libpng 1.2.23
>       + CVE-2010-2249, CVE-2010-1205, CVE-2010-0205, CVE-2009-2042,
>         CVE-2008-6218, CVE-2008-5907, CVE-2009-0040, CVE-2008-3964,
>         CVE-2008-1382
>     - openexr 1.6.1
>       + CVE-2009-1720, CVE-2009-1721
>     - zlib 1.2.3
> ...
>
> Cheers,
>
>  -- Santiago



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
Reply to: