On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote: >... > On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón > <[email protected]> wrote: > ... > > Taking one of the recent changes to data/CVE/list: > > > > @@ -6999,6 +7000,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open > > source FreeImage v.3.19.0 > > - freeimage <unfixed> (bug #1068461) > > [bookworm] - freeimage <no-dsa> (Revisit when fixed upstream) > > [bullseye] - freeimage <no-dsa> (Revisit when fixed upstream) > > + [buster] - freeimage <postponed> (Revisit when fixed upstream, low > > severity DoS in tool) > > NOTE: > > https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 > > > > Are you completely sure the related buffer overflow doesn't make > > possible to cause arbitrary code execution. > > Can one be completely sure about anything? So, no I'm not completely > sure. I have worked long enough to learn that even if I think I'm > right I may not be.
The only thing you can be sure about is that the PoC reproduces the CVE without your fix, and does no longer reproduce it with your fix. > I'm pretty sure that the ones that mention code execution are more severe. >... I'm pretty sure this is not a realistic assumption. Everyone who has done CVE fixing in recent years knows that fuzzer CVEs are relatively nice to handle since they usually come with a PoC and tend to have a short fix, but the CVE descriptions are often garbage since many of the CVE reporters do not have any clue how an exploit would work. > // Ola cu Adrian
