[Git][security-tracker-team/security-tracker][master] freeimage/jessie: postpone CVE-2019-1221{4, 2}

Mon Dec 16 12:49:10 GMT 2019


Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3020fa4d by Hugo Lefeuvre at 2019-12-16T12:45:30Z
freeimage/jessie: postpone CVE-2019-1221{4, 2}

CVE-2019-12214: without any more information, fixing or even
reproducing this is going to require an insane amount of work.

CVE-2019-12212: this is a crasher, at most. We can wait for upstream
fixes.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -29225,7 +29225,11 @@ CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of m
 	- freeimage <unfixed> (bug #929597)
 	[buster] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[stretch] - freeimage <postponed> (Revisit when upstream fixes are available)
+	[jessie] - freeimage <postponed> (Revisit when upstream fixes are available)
 	NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
+	NOTE: very few information regarding this vulnerability, which is seemingly located
+	NOTE: in libopenjpeg, not freeimage. Without reproducer or stacktrace, this is
+	NOTE: nearly unfixable.
 CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...)
 	{DLA-2031-1}
 	- freeimage <unfixed> (bug #929597)
@@ -29237,6 +29241,7 @@ CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIF
 	- freeimage <unfixed> (bug #929597)
 	[buster] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[stretch] - freeimage <postponed> (Revisit when upstream fixes are available)
+	[jessie] - freeimage <postponed> (Revisit when upstream fixes are available)
 	NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
 CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load ...)
 	{DLA-2031-1}


=====================================
data/dla-needed.txt
=====================================
@@ -16,14 +16,10 @@ ansible
   NOTE: CVE-2019-14858's upstream patch is too big; fails to work properly. (utkarsh2102)
 --
 clamav (Hugo Lefeuvre)
-  NOTE: waiting for 0.102.1 to enter stretch/buster.
+  NOTE: 20191216: waiting for 0.102.1 to enter stretch/buster.
 --
 cups (Thorsten Alteholz)
 --
-freeimage (Hugo Lefeuvre)
-  NOTE: 20191210: already released DLA-2031-1, still working on CVE-2019-12214 and CVE-2019-12212.
-  NOTE: CVE-2019-12214: fuzzed with an ancient version of openjpeg, needs more investigation
---
 git (Roberto C. Sánchez)
 --
 ibus



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3020fa4d8e85ab7ba7ca2fd670ccd4e223c90b9f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3020fa4d8e85ab7ba7ca2fd670ccd4e223c90b9f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191216/a076d430/attachment-0001.html>
