Re: freeimage and CVE-2019-12214

To: debian-lts@lists.debian.org
Subject: Re: freeimage and CVE-2019-12214
From: santiago <santiagorr@riseup.net>
Date: Fri, 12 Apr 2024 11:24:01 -0300
Message-id: <[🔎] ZhlEAXZdR5OiXU6s@pokemon>
In-reply-to: <[🔎] CABY6=0nwrZi-pEtm_L3ZS+oo6n_MG-CCdy5_hSrg195sdfg8QQ@mail.gmail.com>
References: <[🔎] f71a4a36ec2c245ae72b613394cd2ef3b9d0199b.camel@bollu.be> <[🔎] CABY6=0n9TmC+QiwJJbW7yb-ZWe=KP5Ww4VLgvrnmgwHcgNUocQ@mail.gmail.com> <[🔎] 26ea86161a4a68fac908b7cb230d2e1df090dd2c.camel@bollu.be> <[🔎] CABY6=0nwrZi-pEtm_L3ZS+oo6n_MG-CCdy5_hSrg195sdfg8QQ@mail.gmail.com>

Hi,

El 12/04/24 a las 12:00, Ola Lundqvist escribió:
> Hi Cyrille
> 
> See below.
> 
> On Fri, 12 Apr 2024 at 10:44, Cyrille Bollu <cyrille@bollu.be> wrote:
> >
> >
> > >Thank you! Do you mean that freeimage copy in those files during the
> > >build process?
> >
> > If you download the tarball at
> > https://freeimage.sourceforge.io/download.html you'll find that the,
> > once unzipped, it contains a 'Source/LibOpenJPEG' folder that contains
> > about the same files as
> > https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2,
> > though older.
> 
> I see. The thing is that if you take the buster version that is not the case.
> 
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ ls Source/LibOpenJPEG
> ls: cannot access 'Source/LibOpenJPEG': No such file or directory
> 
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i open
> ./Examples/OpenGL
> ./Examples/OpenGL/TextureManager
> ./Examples/OpenGL/TextureManager/readme.txt
> ./Examples/OpenGL/TextureManager/TextureManager.h
> ./Examples/OpenGL/TextureManager/TextureManager.cpp
> ola@buster-lts:~/build/freeimage-3.18.0+ds2$ find | grep -i jpeg
> ./Wrapper/FreeImage.NET/cs/Library/Enumerations/FREE_IMAGE_JPEG_OPERATION.cs
> ./.pc/Disable-testing-of-JPEG-transform.patch
> ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI
> ./.pc/Disable-testing-of-JPEG-transform.patch/TestAPI/testJPEG.cpp
> ./.pc/Disable-vendored-dependencies.patch/Source/FreeImage/PluginJPEG.cpp
> ./debian/patches/Disable-testing-of-JPEG-transform.patch
> ./Source/FreeImage/PluginJPEG.cpp
> ./TestAPI/testJPEG.cpp

And I would recommend to check against actual code, even the function
name instead of file names.

sh -c "grep -r j2k_read_ppm_v3 freeimage-3.18.0+ds2/ ; echo \$?"
1

To complement:

freeimage (3.10.0-3) unstable; urgency=low

  * Don't use embedded copies of various libraries, add build-deps on their
    packaged versions (closes: #595560):
    - libjpeg 6b
    - libmng 1.0.9
    - libopenjpeg 1.2.0
    - libpng 1.2.23
      + CVE-2010-2249, CVE-2010-1205, CVE-2010-0205, CVE-2009-2042,
        CVE-2008-6218, CVE-2008-5907, CVE-2009-0040, CVE-2008-3964,
        CVE-2008-1382
    - openexr 1.6.1
      + CVE-2009-1720, CVE-2009-1721
    - zlib 1.2.3
...

Cheers,

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: freeimage and CVE-2019-12214
  - From: Ola Lundqvist <ola@inguza.com>

References:
- freeimage and CVE-2019-12214
  - From: Cyrille Bollu <cyrille@bollu.be>
- Re: freeimage and CVE-2019-12214
  - From: Ola Lundqvist <ola@inguza.com>
- Re: freeimage and CVE-2019-12214
  - From: Cyrille Bollu <cyrille@bollu.be>
- Re: freeimage and CVE-2019-12214
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: freeimage and CVE-2019-12214
Next by Date: Re: freeimage and CVE-2019-12214
Previous by thread: Re: freeimage and CVE-2019-12214
Next by thread: Re: freeimage and CVE-2019-12214
Index(es):
- Date
- Thread