[Git][security-tracker-team/security-tracker][master] Revert "CVE-2019-12214 update for openjpeg and freeimage"

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun Apr 14 13:03:42 BST 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dd2656be by Salvatore Bonaccorso at 2024-04-14T14:02:06+02:00
Revert "CVE-2019-12214 update for openjpeg and freeimage"

This reverts commit 08bd7be3935f565a9252bc5f9581885b405cc758.

This needs a proper commit if something is in openjpeg.

But the main reason for this revert is unclear tracking of the fixed
version with mixup of buster only entry for buster for openjpeg.

I might go later trough the mail exchange to see what actually needs to
be done.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -347217,17 +347217,13 @@ CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of m
 	- freeimage <unfixed> (bug #947478)
 	[bookworm] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[bullseye] - freeimage <postponed> (Revisit when upstream fixes are available)
-	[buster] - freeimage <not-affected> (Do not include openjpeg copy since 3.10.0-3)
-	[buster] - openjpeg2 2.1.0-1
+	[buster] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[stretch] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[jessie] - freeimage <postponed> (Revisit when upstream fixes are available)
 	NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
 	NOTE: very few information regarding this vulnerability, which is seemingly located
 	NOTE: in libopenjpeg, not freeimage. Without reproducer or stacktrace, this is
 	NOTE: nearly unfixable.
-	NOTE: Turned out that the issue is not in freeimage at all, but rather in openjpeg.
-	NOTE: For more information see https://lists.debian.org/debian-lts/2024/04/msg00058.html
-	NOTE: and more specifically https://lists.debian.org/debian-lts/2024/04/msg00081.html
 CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...)
 	{DSA-4593-1 DLA-2031-1}
 	- freeimage 3.18.0+ds2-3 (bug #929597)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd2656be1f868274d60b1f38aa7a884e3c8123f2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd2656be1f868274d60b1f38aa7a884e3c8123f2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240414/fbe25f00/attachment.htm>

More information about the debian-security-tracker-commits mailing list