Information about this CVE and bug. ---------- Forwarded message --------- From: Cyrille Bollu <cyri...@bollu.be> Date: Sun, 14 Apr 2024 at 12:24 Subject: Re: freeimage and CVE-2019-12214 To: Ola Lundqvist <o...@inguza.com> Cc: <debian-...@lists.debian.org>
Hi, I've performed a more thoroughful investigation and have informed NIST that the offending line is actually to be found in openjpeg between version 2.0.0 up to (excluding) 2.1.0. Debian Buster isn't affected as it uses version 2.3.0-2+deb10u2. Hereunder copy of the email I've sent ot NIST. Best regards, Cyrille >Message-ID: <981f8fc77d9e0fee8399a19e6e4c9c64ceeea9a7.ca...@bollu.be> >Subject: CVE-2019-12214: missing vulnerable configuration >From: Cyrille Bollu <cyri...@bollu.be> >To: cpe_diction...@nist.gov >Date: Sun, 14 Apr 2024 12:01:43 +0200 >Content-Type: text/plain; charset="UTF-8" >Content-Transfer-Encoding: quoted-printable >User-Agent: Evolution 3.46.4-2 >MIME-Version: 1.0 >X-Evolution-Identity: 953def08ae37ee7006cd76b472f065ecb205f7e1 >X-Evolution-Fcc: >folder://d19e895bfc6f11c136a14747fb40c471b2a393e7/Sent >X-Evolution-Transport: 80f305883d50f910e4b81fcb40b6c46360542068 >X-Evolution-Source: > >Dear NIST, > >As part of an investigation performed on-behalf of Debian-LTS team, >I've found out that CVE-2019-12214 is actualy located in code from the >openjpeg project (https://github.com/uclouvain/openjpeg) which >freeimage copied in its source tree. > >The offending line, "memcpy(l_cp->ppm_data_current, p_header_data, >l_N_ppm);", has been introduced in version 2.0.0 (see >https://github.com/uclouvain/openjpeg/archive/refs/tags/version.2.0.tar.gz ) >and removed in version 2.1.1 (see >https://github.com/uclouvain/openjpeg/archive/refs/tags/v2.1.1.tar.gz) . > >So, all intermediatory versions (version 2.0.0 included) might be >vulnerables (I haven't investigated more than just the presence of >absence of this line though). > >I think it's worth updating CVE-2019-12214 with this information. > >Best regards, > >Cyrille Bollu Le samedi 13 avril 2024 à 09:56 +0200, Cyrille a écrit : > I don’t know anything about your procedures, but I don’t see why we > wouldn’t… > > I would also contact NIST (or whoever is in charge of the CVE > database; I can’t remember by heart who it is) to let them know this, > so they update the CVE’s vulnerable configurations. I’ll try to do > that next week, but I will probably first have to find out which > exact versions of openjpeg2 have been affected (which will probably > be quite difficult for me) > > Nice week-end > > Cyrille > > > Le 13 avr. 2024 à 00:22, Ola Lundqvist <o...@inguza.com> a écrit : > > > > Hi Cyrille > > > > > On Fri, 12 Apr 2024 at 16:32, Cyrille Bollu <cyri...@bollu.be> > > > wrote: > > > > > > Hi Ola, > > > > > > Thank you for your help. > > > > > > So, IIUC: > > > > > > 1. CVE-2019-12214 shouldn't be assigned to freeimage in Debian > > > Buster; > > > 2. CVE-2019-12214 might be assigned to source package openjpeg2 > > > or > > > openjpeg (the later doesn't seem to be available in Buster > > > though) > > > > Yes, potentially so. At least if I understand the email from > > Santiago correctly. > > > > freeimage build depends on libopenjp2-7-dev which is built from > > openjpeg2 so in buster it is openjpeg2 where it should belong. > > > > But I do not know whether we typically re-assign things like this > > or > > not so I do not want to give advice for this. Better if someone > > else > > who knows the practice answers this. > > > > // Ola > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > > o...@inguza.com o...@debian.org | > > > http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > --------------------------------------------------------------- > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
