Re: freeimage and CVE-2019-12214
>Cyrille, would you mind submitting your update to MITRE instead?
Done
Le lundi 15 avril 2024 à 10:29 -0300, Santiago Ruano Rincón a écrit :
> Hi,
>
> Cyrille, thank you for checking this. However, I don't think the
> contact
> address you had sent the email is correct.
> CVE is maintained by MITRE (not NIST). And there exist several CNAs
> that
> could issue CVE IDs for specific products/domains.
> According to https://www.cve.org/CVERecord?id=CVE-2019-12214, that
> CVE
> was assigned by MITRE Corporation.
>
> According to https://cve.mitre.org/ ;(or https://www.cve.org/), the
> correct way to request an update in a CVE entry assigned by MITRE is
> filling out the form that you can find at:
> https://cveform.mitre.org/,
> choosing the appropriate request type.
>
> Cyrille, would you mind submitting your update to MITRE instead?
>
>
> Ola, the changes you have made to the security-tracker have been
> reverted by Salvatore. See dd2656be1f868274d60b1f38aa7a884e3c8123f2.
> Please, let us know if would you like to propose a proper update. I
> think it is worth to mention the finding in #947478.
>
> Thank you,
>
> El 14/04/24 a las 13:39, Ola Lundqvist escribió:
> > Hi Cyrille
> >
> > Thank you very much.
> >
> > I'll update the security tracker accordingly.
> >
> > // Ola
> >
> > On Sun, 14 Apr 2024 at 12:24, Cyrille Bollu <cyrille@bollu.be>
> > wrote:
> >
> > > Hi,
> > >
> > > I've performed a more thoroughful investigation and have informed
> > > NIST
> > > that the offending line is actually to be found in openjpeg
> > > between
> > > version 2.0.0 up to (excluding) 2.1.0.
> > >
> > > Debian Buster isn't affected as it uses version 2.3.0-2+deb10u2.
> > >
> > > Hereunder copy of the email I've sent ot NIST.
> > >
> > > Best regards,
> > >
> > > Cyrille
> > >
> > > > Message-ID:
> > > > <981f8fc77d9e0fee8399a19e6e4c9c64ceeea9a7.camel@bollu.be>
> > > > Subject: CVE-2019-12214: missing vulnerable configuration
> > > > From: Cyrille Bollu <cyrille@bollu.be>
> > > > To: cpe_dictionary@nist.gov
> > > > Date: Sun, 14 Apr 2024 12:01:43 +0200
> > > > Content-Type: text/plain; charset="UTF-8"
> > > > Content-Transfer-Encoding: quoted-printable
> > > > User-Agent: Evolution 3.46.4-2
> > > > MIME-Version: 1.0
> > > > X-Evolution-Identity: 953def08ae37ee7006cd76b472f065ecb205f7e1
> > > > X-Evolution-Fcc:
> > > > folder://d19e895bfc6f11c136a14747fb40c471b2a393e7/Sent
> > > > X-Evolution-Transport: 80f305883d50f910e4b81fcb40b6c46360542068
> > > > X-Evolution-Source:
> > > >
> > > > Dear NIST,
> > > >
> > > > As part of an investigation performed on-behalf of Debian-LTS
> > > > team,
> > > > I've found out that CVE-2019-12214 is actualy located in code
> > > > from the
> > > > openjpeg project (https://github.com/uclouvain/openjpeg) which
> > > > freeimage copied in its source tree.
> > > >
> > > > The offending line, "memcpy(l_cp->ppm_data_current,
> > > > p_header_data,
> > > > l_N_ppm);", has been introduced in version 2.0.0 (see
> > > >
> > > https://github.com/uclouvain/openjpeg/archive/refs/tags/version.2.0.tar.gz
> > > )
> > > > and removed in version 2.1.1 (see
> > > > https://github.com/uclouvain/openjpeg/archive/refs/tags/v2.1.1.tar.gz
> > > > )
> > > .
> > > >
> > > > So, all intermediatory versions (version 2.0.0 included) might
> > > > be
> > > > vulnerables (I haven't investigated more than just the presence
> > > > of
> > > > absence of this line though).
> > > >
> > > > I think it's worth updating CVE-2019-12214 with this
> > > > information.
> > > >
> > > > Best regards,
> > > >
> > > > Cyrille Bollu
> > >
> > > Le samedi 13 avril 2024 à 09:56 +0200, Cyrille a écrit :
> > > > I don’t know anything about your procedures, but I don’t see
> > > > why we
> > > > wouldn’t…
> > > >
> > > > I would also contact NIST (or whoever is in charge of the CVE
> > > > database; I can’t remember by heart who it is) to let them know
> > > > this,
> > > > so they update the CVE’s vulnerable configurations. I’ll try to
> > > > do
> > > > that next week, but I will probably first have to find out
> > > > which
> > > > exact versions of openjpeg2 have been affected (which will
> > > > probably
> > > > be quite difficult for me)
> > > >
> > > > Nice week-end
> > > >
> > > > Cyrille
> > > >
> > > > > Le 13 avr. 2024 à 00:22, Ola Lundqvist <ola@inguza.com> a
> > > > > écrit :
> > > > >
> > > > > Hi Cyrille
> > > > >
> > > > > > On Fri, 12 Apr 2024 at 16:32, Cyrille Bollu
> > > > > > <cyrille@bollu.be>
> > > > > > wrote:
> > > > > >
> > > > > > Hi Ola,
> > > > > >
> > > > > > Thank you for your help.
> > > > > >
> > > > > > So, IIUC:
> > > > > >
> > > > > > 1. CVE-2019-12214 shouldn't be assigned to freeimage in
> > > > > > Debian
> > > > > > Buster;
> > > > > > 2. CVE-2019-12214 might be assigned to source package
> > > > > > openjpeg2
> > > > > > or
> > > > > > openjpeg (the later doesn't seem to be available in Buster
> > > > > > though)
> > > > >
> > > > > Yes, potentially so. At least if I understand the email from
> > > > > Santiago correctly.
> > > > >
> > > > > freeimage build depends on libopenjp2-7-dev which is built
> > > > > from
> > > > > openjpeg2 so in buster it is openjpeg2 where it should
> > > > > belong.
> > > > >
> > > > > But I do not know whether we typically re-assign things like
> > > > > this
> > > > > or
> > > > > not so I do not want to give advice for this. Better if
> > > > > someone
> > > > > else
> > > > > who knows the practice answers this.
> > > > >
> > > > > // Ola
> > > > >
> > > > > --
> > > > > --- Inguza Technology AB --- MSc in Information Technology --
> > > > > --
> > > > > > ola@inguza.com
> > > > > > opal@debian.org |
> > > > > > http://inguza.com/ ; Mobile: +46 (0)70-332
> > > > > > 1551 |
> > > > > -------------------------------------------------------------
> > > > > --
> > > >
> > >
> >
> >
> > --
> > --- Inguza Technology AB --- MSc in Information Technology ----
> > > ola@inguza.com opal@debian.org |
> > > http://inguza.com/ ; Mobile: +46 (0)70-332 1551 |
> > ---------------------------------------------------------------
Reply to: