[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to handle freeimage package

Hi Adrian


On Thu, 11 Apr 2024 at 17:18, Adrian Bunk <bunk@debian.org> wrote:
...
> > +       [buster] - freeimage <postponed> (Revisit when fixed upstream, low severity DoS in tool)
> >         NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909
> >
> > Are you completely sure the related buffer overflow doesn't make
> > possible to cause arbitrary code execution. Are you 100% sure it is
> > limited to a local DoS? For being on the safe side, I would just left as
> > note (Revisit when fixed upstream). Fellows doing FD work could also
> > confirm if this is correct or not.
> >...
>
> "in tool" looks wrong in any case.

Is "user interactive program" better? See below.

> The 21 new CVEs were from a fuzzer who was using a trivial tool that
> uses the library APIs to load and unload images:
> https://github.com/Ruanxingzhi/vul-report/blob/master/freeimage-r1909/poc.c

Maybe we misunderstand each other here. I'm not referring to the tool
used to exploit it.

With "tool" I'm referring to the software in Debian repository that
uses this library to do things.
I went through the reverse dependencies to check what kind of software
it was, and found that all of them were of the type of "user
interactive tool" type.
Like colmap, oce-draw, kicad, netgen, rviz and so on. Some of them are
not useing freeimage directly but may use it indirectly. In any case
all I found were "user interactive tool" type.

If someone have built their software using the direct API and provided
that as a network service then yes we should not postpone because then
that would be a high severity issue. But if we are going to consider
that case, all our libraries will automatically get high severity and
it is pointless to do any useful triaging. In that case we can simply
add everything to dla-needed with high prio from the start.

> (I assume poc.c is a polished version of the work.cpp in the traces)

Cheers

// Ola

> > Cheers,
> >
> >  -- Santiago
>
> cu
> Adrian
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
Reply to: