Bug#947478: Fwd: freeimage and CVE-2019-12214

Ola Lundqvist ola at inguza.com
Mon Apr 15 19:04:42 BST 2024 

Information about this CVE and bug.

---------- Forwarded message ---------
From: Cyrille Bollu <cyrille at bollu.be>
Date: Sun, 14 Apr 2024 at 12:24
Subject: Re: freeimage and CVE-2019-12214
To: Ola Lundqvist <ola at inguza.com>
Cc: <debian-lts at lists.debian.org>


Hi,

I've performed a more thoroughful investigation and have informed NIST
that the offending line is actually to be found in openjpeg between
version 2.0.0 up to (excluding) 2.1.0.

Debian Buster isn't affected as it uses version 2.3.0-2+deb10u2.

Hereunder copy of the email I've sent ot NIST.

Best regards,

Cyrille

>Message-ID: <981f8fc77d9e0fee8399a19e6e4c9c64ceeea9a7.camel at bollu.be>
>Subject: CVE-2019-12214: missing vulnerable configuration
>From: Cyrille Bollu <cyrille at bollu.be>
>To: cpe_dictionary at nist.gov
>Date: Sun, 14 Apr 2024 12:01:43 +0200
>Content-Type: text/plain; charset="UTF-8"
>Content-Transfer-Encoding: quoted-printable
>User-Agent: Evolution 3.46.4-2
>MIME-Version: 1.0
>X-Evolution-Identity: 953def08ae37ee7006cd76b472f065ecb205f7e1
>X-Evolution-Fcc:
>folder://d19e895bfc6f11c136a14747fb40c471b2a393e7/Sent
>X-Evolution-Transport: 80f305883d50f910e4b81fcb40b6c46360542068
>X-Evolution-Source:
>
>Dear NIST,
>
>As part of an investigation performed on-behalf of Debian-LTS team,
>I've found out that CVE-2019-12214 is actualy located in code from the
>openjpeg project (https://github.com/uclouvain/openjpeg) which
>freeimage copied in its source tree.
>
>The offending line, "memcpy(l_cp->ppm_data_current, p_header_data,
>l_N_ppm);", has been introduced in version 2.0.0 (see
>https://github.com/uclouvain/openjpeg/archive/refs/tags/version.2.0.tar.gz
)
>and removed in version 2.1.1 (see
>https://github.com/uclouvain/openjpeg/archive/refs/tags/v2.1.1.tar.gz)
.
>
>So, all intermediatory versions (version 2.0.0 included) might be
>vulnerables (I haven't investigated more than just the presence of
>absence of this line though).
>
>I think it's worth updating CVE-2019-12214 with this information.
>
>Best regards,
>
>Cyrille Bollu

Le samedi 13 avril 2024 à 09:56 +0200, Cyrille a écrit :
> I don’t know anything about your procedures, but I don’t see why we
> wouldn’t…
>
> I would also contact NIST (or whoever is in charge of the CVE
> database; I can’t remember by heart who it is) to let them know this,
> so they update the CVE’s vulnerable configurations. I’ll try to do
> that next week, but I will probably first have to find out which
> exact versions of openjpeg2 have been affected (which will probably
> be quite difficult for me)
>
> Nice week-end
>
> Cyrille
>
> > Le 13 avr. 2024 à 00:22, Ola Lundqvist <ola at inguza.com> a écrit :
> >
> > Hi Cyrille
> >
> > > On Fri, 12 Apr 2024 at 16:32, Cyrille Bollu <cyrille at bollu.be>
> > > wrote:
> > >
> > > Hi Ola,
> > >
> > > Thank you for your help.
> > >
> > > So, IIUC:
> > >
> > > 1. CVE-2019-12214 shouldn't be assigned to freeimage in Debian
> > > Buster;
> > > 2. CVE-2019-12214 might be assigned to source package openjpeg2
> > > or
> > > openjpeg (the later doesn't seem to be available in Buster
> > > though)
> >
> > Yes, potentially so. At least if I understand the email from
> > Santiago correctly.
> >
> > freeimage build depends on libopenjp2-7-dev which is built from
> > openjpeg2 so in buster it is openjpeg2 where it should belong.
> >
> > But I do not know whether we typically re-assign things like this
> > or
> > not so I do not want to give advice for this. Better if someone
> > else
> > who knows the practice answers this.
> >
> > // Ola
> >
> > --
> > --- Inguza Technology AB --- MSc in Information Technology ----
> > >  ola at inguza.com                    opal at debian.org            |
> > >  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> > ---------------------------------------------------------------
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola at inguza.com                    opal at debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

More information about the debian-science-maintainers mailing list