Hi Cyrille Thank you! Do you mean that freeimage copy in those files during the build process? If you could update the notes for this CVE it would be nice. I started but realized that I had more questions and then it is better if you do it who knows the answer.
No hurry since this is for a postponed issue. Cheers // Ola On Fri, 12 Apr 2024 at 09:15, Cyrille Bollu <[email protected]> wrote: > > FTR, > > I did a small analysis, and that's for sure that CVE-2019-12214 relates > to code from openjpeg: Looking at the content of folder "LibOpenJpeg" > in freeimage 'source code show exactly the same files as in > https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2 > > However, since freeimage copies those files into its source tree rather > than relying on shared libraries, it should probably still be listed as > a "CPE affected software configuration" for this CVE... > > BTW, while freeimage might be dead, libopenjpeg is still alive > > BR, > > Cyrille > -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
