Bug#940951: Upstream version (and ideally commit) which fixed CVE-2018-7587?

Salvatore Bonaccorso carnil at debian.org
Mon Mar 2 20:29:01 GMT 2020


Hi Andreas,

On Mon, Mar 02, 2020 at 06:29:40PM +0100, Andreas Tille wrote:
> On Mon, Mar 02, 2020 at 03:43:16PM +0100, Salvatore Bonaccorso wrote:
> > Hi Andreas,
> > 
> > On Mon, Mar 02, 2020 at 01:45:04PM +0000, Debian Bug Tracking System wrote:
> > > Hello Andreas,
> > > 
> > > I think I've fixed these bugs indeed, a few months ago.
> > > 
> > > Regards,
> > > 
> > > David.
> > > 
> > > PS : I'm sorry but I don't write Changelog for CImg anymore. Not
> > > that I don't maintain it, but it write my changes directly in the
> > > Changelog of the G'MIC project.
> > 
> > So this means 2.8.4 upstream contains the fix for CVE-2018-7587, any
> > pointers to the upstream commit which fixed the issue, was it fixed
> > before 2.8.4?
> > 
> > Many thanks in advance,
> 
> I understood David that this was fixed even before.  He has not pointed
> to any specific commit.

Then we need some help to track this down. We would like from security
point of view try to track the issues as exact as possible and
confirmed. The CVE-2018-7587 assignment itself is not very transparent
on it's own  unfortunately. The only reference I found was that it
relates to https://github.com/dtschump/CImg/issues/185 (as some others
CVE around that time). But now there were 5 testcases, and 5 other
CVEs relate to upstream commit
10af1e8c1ad2a58a0a3342a856bae63e8f257abb. CVE-2018-7587 itself say it
is for the "DoS occurs when loading a crafted bmp image that triggers
an allocation failure in load_bmp in CImg.h".

David, is this association correct?

Regards,
Salvatore



More information about the debian-science-maintainers mailing list