Re: freeimage and CVE-2019-12214
Hi Santiago
On Mon, 15 Apr 2024 at 21:10, Santiago Ruano Rincón
<santiagorr@riseup.net> wrote:
>
> Hi Ola,
>
> As being discussed with Salvatore, there is not enough evidence to
> conclude there is not any issue present on the freeimage side.
Do I understand correctly that the evidence that Cyrille provided is not enough?
> We need
> to be on the safe side, like *always*, and with marking freeimage as
> <not-affected> we would stop tracking the issue.
> To stay on the safe side, we need to keep tracking the issue.
If we do not trust that analysis from Cyrille, I agree with you.
> Hugo mentioned this refactoring commit that *could* have fixed the issue:
> https://github.com/uclouvain/openjpeg/commit/c887df12a38ff1a2721d0c8a93b74fe1d02701a2
> Ref: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/#b887/4639
> But without any reproducer, it is hard to conclude the issue was fixed.
Yes without a reproducer we cannot tell with absolute certainty,
unless we create a new reproducer.
> One possibility would be to mark it as <ignored>, but not as
> <not-affected>.
That is a possibility, yes. Is this what you propose then?
> <postponed> wouldn't make sense since the reported
> hasn't shared any more information in five years.
That was new to me. I thought we did not <ignore> issues purely
because we have not more info.
But I agree with you that ignoring really old things for which we have
no more info makes sense.
I was not aware that it was an ok thing to do.
> So please, don't close #947478 either.
I won't. :-)
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: